zarb-ml/mageia-sysadm/2010-November/000250.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-sysadm] [134] Finalise registration ACLs
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B134%5D%20Finalise%20registration%20ACLs&In-Reply-To=%3C20101105121923.62C7F3F92E%40valstar.mageia.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000249.html">
   <LINK REL="Next"  HREF="000252.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-sysadm] [134] Finalise registration ACLs</H1>
    <B>root at mageia.org</B> 
    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B134%5D%20Finalise%20registration%20ACLs&In-Reply-To=%3C20101105121923.62C7F3F92E%40valstar.mageia.org%3E"
       TITLE="[Mageia-sysadm] [134] Finalise registration ACLs">root at mageia.org
       </A><BR>
    <I>Fri Nov  5 13:19:23 CET 2010</I>
    <P><UL>
        <LI>Previous message: <A HREF="000249.html">[Mageia-sysadm] [133] SVN  server is on valstar
</A></li>
        <LI>Next message: <A HREF="000252.html">[Mageia-sysadm] [135] Correct authentication binddn
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#250">[ date ]</a>
              <a href="thread.html#250">[ thread ]</a>
              <a href="subject.html#250">[ subject ]</a>
              <a href="author.html#250">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Revision: 134
Author:   buchan
Date:     2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)
Log Message:
-----------
Finalise registration ACLs
Restrict anonymous access (to none)
Add some additional ACLs to put back some access that previously relied on anonymous
Listen on all IP addresses, and ldapi
Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls

Modified Paths:
--------------
    puppet/modules/openldap/templates/ldap.sysconfig
    puppet/modules/openldap/templates/mandriva-dit-access.conf
    puppet/modules/openldap/templates/slapd.conf

Modified: puppet/modules/openldap/templates/ldap.sysconfig
===================================================================
--- puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 12:19:23 UTC (rev 134)
@@ -3,7 +3,7 @@
 SLAPDSYSLOGLOCALUSER=&quot;local4&quot;
 
 # SLAPD URL list 
-SLAPDURLLIST=&quot;<A HREF="ldap://127.0.0.1/">ldap://127.0.0.1/</A> <A HREF="ldaps://127.0.0.1/">ldaps://127.0.0.1/</A>&quot;
+SLAPDURLLIST=&quot;<A HREF="ldap:///">ldap:///</A> <A HREF="ldaps:///">ldaps:///</A> <A HREF="ldapi:///">ldapi:///</A>&quot;
 
 # Config file to use for slapd
 #SLAPDCONF=/etc/openldap/slapd.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 12:19:23 UTC (rev 134)
@@ -85,11 +85,24 @@
 	by dnattr=owner write
 	by * break
 
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+	attrs=&quot;objectClass&quot; 
+	val=&quot;inetOrgperson&quot; 
+	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
+	by * +0 break
+
+access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+	filter=&quot;(!(objectclass=posixAccount))&quot;
+	attrs=cn,sn,gn,mail,entry,children
+	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
+	by * +0 break
+
 # let the user change some of his/her attributes
 access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
-	by * break
+	by * +0 break
 
 # create new accounts
 access to dn.regex=&quot;^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$&quot;
@@ -146,17 +159,7 @@
 	by group.exact=&quot;cn=DNS Readers,ou=System Groups,dc=mageia,dc=org&quot; read
 	by * none
 
-# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
-	attrs=&quot;objectClass&quot; 
-	val=&quot;inetOrgperson&quot; 
-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; write by * +0 break
 
-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
-	attrs=&quot;cn,sn,gn,mail,entry,children&quot; 
-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a break
-	by * +0 break
-
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
 access to dn.one=&quot;ou=People,dc=mageia,dc=org&quot;

Modified: puppet/modules/openldap/templates/slapd.conf
===================================================================
--- puppet/modules/openldap/templates/slapd.conf	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/slapd.conf	2010-11-05 12:19:23 UTC (rev 134)
@@ -40,6 +40,14 @@
 TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
 TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
 
+# Give ldapi connection some security
+localSSF 56
+# Require at least this security, so we allow:
+# ldapi
+# ldap+start_tls
+# ldaps
+security ssf=56
+
 loglevel 256
 
 database	bdb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;/pipermail/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html&gt;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000249.html">[Mageia-sysadm] [133] SVN  server is on valstar
</A></li>
	<LI>Next message: <A HREF="000252.html">[Mageia-sysadm] [135] Correct authentication binddn
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#250">[ date ]</a>
              <a href="thread.html#250">[ thread ]</a>
              <a href="subject.html#250">[ subject ]</a>
              <a href="author.html#250">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>