1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[134] Finalise registration ACLs</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd>134</dd>
<dt>Author</dt> <dd>buchan</dd>
<dt>Date</dt> <dd>2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)</dd>
</dl>
<h3>Log Message</h3>
<pre>Finalise registration ACLs
Restrict anonymous access (to none)
Add some additional ACLs to put back some access that previously relied on anonymous
Listen on all IP addresses, and ldapi
Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#puppetmodulesopenldaptemplatesldapsysconfig">puppet/modules/openldap/templates/ldap.sysconfig</a></li>
<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li>
<li><a href="#puppetmodulesopenldaptemplatesslapdconf">puppet/modules/openldap/templates/slapd.conf</a></li>
</ul>
</div>
<div id="patch"><pre>
<a id="puppetmodulesopenldaptemplatesldapsysconfig">Modified: puppet/modules/openldap/templates/ldap.sysconfig</a>
===================================================================
--- puppet/modules/openldap/templates/ldap.sysconfig 2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/ldap.sysconfig 2010-11-05 12:19:23 UTC (rev 134)
@@ -3,7 +3,7 @@
SLAPDSYSLOGLOCALUSER="local4"
# SLAPD URL list
-SLAPDURLLIST="ldap://127.0.0.1/ ldaps://127.0.0.1/"
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
# Config file to use for slapd
#SLAPDCONF=/etc/openldap/slapd.conf
<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf">Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf</a>
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-05 12:19:23 UTC (rev 134)
@@ -85,11 +85,24 @@
by dnattr=owner write
by * break
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree="ou=People,dc=mageia,dc=org"
+ attrs="objectClass"
+ val="inetOrgperson"
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+ by * +0 break
+
+access to dn.subtree="ou=People,dc=mageia,dc=org"
+ filter="(!(objectclass=posixAccount))"
+ attrs=cn,sn,gn,mail,entry,children
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+ by * +0 break
+
# let the user change some of his/her attributes
access to dn.subtree="ou=People,dc=mageia,dc=org"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
- by * break
+ by * +0 break
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -146,17 +159,7 @@
by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
by * none
-# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org"
- attrs="objectClass"
- val="inetOrgperson"
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" write by * +0 break
-access to dn.subtree="ou=People,dc=mageia,dc=org"
- attrs="cn,sn,gn,mail,entry,children"
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a break
- by * +0 break
-
# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,dc=mageia,dc=org"
<a id="puppetmodulesopenldaptemplatesslapdconf">Modified: puppet/modules/openldap/templates/slapd.conf</a>
===================================================================
--- puppet/modules/openldap/templates/slapd.conf 2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/slapd.conf 2010-11-05 12:19:23 UTC (rev 134)
@@ -40,6 +40,14 @@
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
+# Give ldapi connection some security
+localSSF 56
+# Require at least this security, so we allow:
+# ldapi
+# ldap+start_tls
+# ldaps
+security ssf=56
+
loglevel 256
database bdb
</pre></div>
</body>
</html>
|
