zarb-ml/mageia-sysadm/2010-November/000189.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-sysadm] [82] ACLs:
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B82%5D%20ACLs%3A&In-Reply-To=%3C20101104120616.57DDF2B235%40krampouezh.mageia.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000187.html">
   <LINK REL="Next"  HREF="000191.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-sysadm] [82] ACLs:</H1>
    <B>root at mageia.org</B> 
    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B82%5D%20ACLs%3A&In-Reply-To=%3C20101104120616.57DDF2B235%40krampouezh.mageia.org%3E"
       TITLE="[Mageia-sysadm] [82] ACLs:">root at mageia.org
       </A><BR>
    <I>Thu Nov  4 13:06:16 CET 2010</I>
    <P><UL>
        <LI>Previous message: <A HREF="000187.html">[Mageia-sysadm] [81] - install apache on alamut and krampoueh
</A></li>
        <LI>Next message: <A HREF="000191.html">[Mageia-sysadm] [83] - module to manage subversion snapshot
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#189">[ date ]</a>
              <a href="thread.html#189">[ thread ]</a>
              <a href="subject.html#189">[ subject ]</a>
              <a href="author.html#189">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Revision: 82
Author:   buchan
Date:     2010-11-04 13:06:15 +0100 (Thu, 04 Nov 2010)
Log Message:
-----------
ACLs:
  Add ACLs required for self-registration application to registrar system group
  Allow Account admins to unlock accounts (write to pwdAccountLockedTime)
  Allow users to update their email address and preferredLanguage
Schema:
  Switch to rfc2307bis (replacing nis.schema and autofs.schema)
  Add LPK

Modified Paths:
--------------
    puppet/modules/openldap/templates/mandriva-dit-access.conf
    puppet/modules/openldap/templates/slapd.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-04 01:19:58 UTC (rev 81)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-04 12:06:15 UTC (rev 82)
@@ -19,6 +19,13 @@
 	by * break
 
 # userPassword access
+# Allow account registration to write userPassword of unprivileged users accounts
+access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+	filter=&quot;(&amp;(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))&quot;
+	attrs=userPassword,pwdReset
+	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a
+	by * +0 break
+
 # shadowLastChange is here because it needs to be writable by the user because
 # of pam_ldap, which will update this attr whenever the password is changed.
 # And this is done with the user's credentials
@@ -68,7 +75,7 @@
 
 # pwdReset, so the admin can force an user to change a password
 access to dn.subtree=&quot;dc=mageia,dc=org&quot;
-	attrs=pwdReset
+	attrs=pwdReset,pwdAccountLockedTime
 	by group.exact=&quot;cn=Account Admins,ou=System Groups,dc=mageia,dc=org&quot; write
 	by * read
 
@@ -80,7 +87,7 @@
 
 # let the user change some of his/her attributes
 access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
-	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
+	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
 	by * break
 
@@ -139,6 +146,17 @@
 	by group.exact=&quot;cn=DNS Readers,ou=System Groups,dc=mageia,dc=org&quot; read
 	by * none
 
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+	attrs=&quot;objectClass&quot; 
+	val=&quot;inetOrgperson&quot; 
+	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; write by * +0 break
+
+access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+	attrs=&quot;cn,sn,gn,mail,entry,children&quot; 
+	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a break
+	by * +0 break
+
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
 access to dn.one=&quot;ou=People,dc=mageia,dc=org&quot;

Modified: puppet/modules/openldap/templates/slapd.conf
===================================================================
--- puppet/modules/openldap/templates/slapd.conf	2010-11-04 01:19:58 UTC (rev 81)
+++ puppet/modules/openldap/templates/slapd.conf	2010-11-04 12:06:15 UTC (rev 82)
@@ -7,9 +7,9 @@
 include	/usr/share/openldap/schema/krb5-kdc.schema
 #include /usr/share/openldap/schema/kerberosobject.schema
 include	/usr/share/openldap/schema/misc.schema
-include	/usr/share/openldap/schema/nis.schema
+include	/usr/share/openldap/schema/rfc2307bis.schema
 include	/usr/share/openldap/schema/openldap.schema 
-include /usr/share/openldap/schema/autofs.schema
+#include /usr/share/openldap/schema/autofs.schema
 include /usr/share/openldap/schema/samba.schema
 include /usr/share/openldap/schema/kolab.schema
 include /usr/share/openldap/schema/evolutionperson.schema
@@ -19,6 +19,7 @@
 include /usr/share/openldap/schema/dhcp.schema
 include /usr/share/openldap/schema/dyngroup.schema
 include /usr/share/openldap/schema/ppolicy.schema
+include /usr/share/openldap/schema/openssh-lpk_openldap.schema
 
 #include	/etc/openldap/schema/local.schema
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;/pipermail/mageia-sysadm/attachments/20101104/5c4bc26c/attachment.html&gt;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000187.html">[Mageia-sysadm] [81] - install apache on alamut and krampoueh
</A></li>
	<LI>Next message: <A HREF="000191.html">[Mageia-sysadm] [83] - module to manage subversion snapshot
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#189">[ date ]</a>
              <a href="thread.html#189">[ thread ]</a>
              <a href="subject.html#189">[ subject ]</a>
              <a href="author.html#189">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>