1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [375] - do not hardcode mageia.org in acl
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B375%5D%20-%20do%20not%20hardcode%20mageia.org%20in%20acl&In-Reply-To=%3C20101122020402.A02B43FC6F%40valstar.mageia.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000747.html">
<LINK REL="Next" HREF="000748.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [375] - do not hardcode mageia.org in acl</H1>
<B>root at mageia.org</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B375%5D%20-%20do%20not%20hardcode%20mageia.org%20in%20acl&In-Reply-To=%3C20101122020402.A02B43FC6F%40valstar.mageia.org%3E"
TITLE="[Mageia-sysadm] [375] - do not hardcode mageia.org in acl">root at mageia.org
</A><BR>
<I>Mon Nov 22 03:04:02 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000747.html">[Mageia-sysadm] [374] - ldaps is required ( ie no unencrypted connection )
</A></li>
<LI>Next message: <A HREF="000748.html">[Mageia-sysadm] [376] - add proper access to nss_ldap user so pam_ldap auth can work
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#750">[ date ]</a>
<a href="thread.html#750">[ thread ]</a>
<a href="subject.html#750">[ subject ]</a>
<a href="author.html#750">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Revision: 375
Author: misc
Date: 2010-11-22 03:04:02 +0100 (Mon, 22 Nov 2010)
Log Message:
-----------
- do not hardcode mageia.org in acl
Modified Paths:
--------------
puppet/modules/openldap/templates/mandriva-dit-access.conf
Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:03:58 UTC (rev 374)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:04:02 UTC (rev 375)
@@ -1,184 +1,184 @@
# mandriva-dit-access.conf
-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
# so we don't have to add these to every other acl down there
-access to dn.subtree="dc=mageia,dc=org"
- by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
+access to dn.subtree="<%= dc_suffix %>"
+ by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
by * break
# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
attrs=userPassword,pwdReset
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
by * +0 break
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=shadowLastChange
by self write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=userPassword
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self write
by anonymous auth
by * none
# kerberos key access
# "by auth" just in case...
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=krb5Key
by self write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by * none
# password policies
-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=sambaLMPassword,sambaNTPassword
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by self write
by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=sambaPasswordHistory,pwdHistory
by self read
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * none
# pwdReset, so the admin can force an user to change a password
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=pwdReset,pwdAccountLockedTime
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self read
# group owner can add/remove/edit members to groups
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=member
by dnattr=owner write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users +sx
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=cn,description,objectClass,gidNumber
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs="objectClass"
val="inetOrgperson"
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(!(objectclass=posixAccount))"
attrs=cn,sn,gn,mail,entry,children,preferredLanguage
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
# let the user change some of his/her attributes
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
by users read
# create new accounts
-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
attrs=children,entry
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# access to existing entries
-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# sambaDomainName entry
-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
+access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sambaDomain</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at sambaUnixIdPool</A>
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba ID mapping
-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sambaIdmapEntry</A>
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# global address book
# XXX - which class(es) to use?
-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
+access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at inetOrgPerson</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at evolutionPerson</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at evolutionPersonList</A>
- by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dhcp entries
# XXX - open up read access to anybody?
-access to dn.sub="ou=dhcp,dc=mageia,dc=org"
+access to dn.sub="ou=dhcp,<%= dc_suffix %>"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at dhcpService</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpServer</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSharedNetwork</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSubnet</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpPool</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpGroup</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpHost</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpClass</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSubClass</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpOptions</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpLeases</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpLog</A>
- by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
+ by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
by * read
# sudoers
-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sudoRole</A>
- by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dns
-access to dn="ou=dns,dc=mageia,dc=org"
+access to dn="ou=dns,<%= dc_suffix %>"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">entry, at extensibleObject</A>
- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
-access to dn.sub="ou=dns,dc=mageia,dc=org"
+access to dn.sub="ou=dns,<%= dc_suffix %>"
attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at dNSZone</A>
- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
+ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
by * none
# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
-access to dn.one="ou=People,dc=mageia,dc=org"
+access to dn.one="ou=People,<%= dc_suffix %>"
attrs=@inetLocalMailRecipient,mail
- by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# KDE Configuration
-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
- by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
+ by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
by * read
# last one
-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
+access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
by users read
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101122/87e3ed06/attachment-0001.html>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000747.html">[Mageia-sysadm] [374] - ldaps is required ( ie no unencrypted connection )
</A></li>
<LI>Next message: <A HREF="000748.html">[Mageia-sysadm] [376] - add proper access to nss_ldap user so pam_ldap auth can work
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#750">[ date ]</a>
<a href="thread.html#750">[ thread ]</a>
<a href="subject.html#750">[ subject ]</a>
<a href="author.html#750">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
