[Mageia-sysadm] [82] ACLs:

[root at mageia.org]

Revision: 82
Author:   buchan
Date:     2010-11-04 13:06:15 +0100 (Thu, 04 Nov 2010)
Log Message:
-----------
ACLs:
  Add ACLs required for self-registration application to registrar system group
  Allow Account admins to unlock accounts (write to pwdAccountLockedTime)
  Allow users to update their email address and preferredLanguage
Schema:
  Switch to rfc2307bis (replacing nis.schema and autofs.schema)
  Add LPK

Modified Paths:
--------------
    puppet/modules/openldap/templates/mandriva-dit-access.conf
    puppet/modules/openldap/templates/slapd.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-04 01:19:58 UTC (rev 81)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-04 12:06:15 UTC (rev 82)
@@ -19,6 +19,13 @@
 	by * break
 
 # userPassword access
+# Allow account registration to write userPassword of unprivileged users accounts
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
+	attrs=userPassword,pwdReset
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
+	by * +0 break
+
 # shadowLastChange is here because it needs to be writable by the user because
 # of pam_ldap, which will update this attr whenever the password is changed.
 # And this is done with the user's credentials
@@ -68,7 +75,7 @@
 
 # pwdReset, so the admin can force an user to change a password
 access to dn.subtree="dc=mageia,dc=org"
-	attrs=pwdReset
+	attrs=pwdReset,pwdAccountLockedTime
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by * read
 
@@ -80,7 +87,7 @@
 
 # let the user change some of his/her attributes
 access to dn.subtree="ou=People,dc=mageia,dc=org"
-	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
+	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
 	by * break
 
@@ -139,6 +146,17 @@
 	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
 	by * none
 
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	attrs="objectClass" 
+	val="inetOrgperson" 
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" write by * +0 break
+
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	attrs="cn,sn,gn,mail,entry,children" 
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a break
+	by * +0 break
+
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
 access to dn.one="ou=People,dc=mageia,dc=org"

Modified: puppet/modules/openldap/templates/slapd.conf
===================================================================
--- puppet/modules/openldap/templates/slapd.conf	2010-11-04 01:19:58 UTC (rev 81)
+++ puppet/modules/openldap/templates/slapd.conf	2010-11-04 12:06:15 UTC (rev 82)
@@ -7,9 +7,9 @@
 include	/usr/share/openldap/schema/krb5-kdc.schema
 #include /usr/share/openldap/schema/kerberosobject.schema
 include	/usr/share/openldap/schema/misc.schema
-include	/usr/share/openldap/schema/nis.schema
+include	/usr/share/openldap/schema/rfc2307bis.schema
 include	/usr/share/openldap/schema/openldap.schema 
-include /usr/share/openldap/schema/autofs.schema
+#include /usr/share/openldap/schema/autofs.schema
 include /usr/share/openldap/schema/samba.schema
 include /usr/share/openldap/schema/kolab.schema
 include /usr/share/openldap/schema/evolutionperson.schema
@@ -19,6 +19,7 @@
 include /usr/share/openldap/schema/dhcp.schema
 include /usr/share/openldap/schema/dyngroup.schema
 include /usr/share/openldap/schema/ppolicy.schema
+include /usr/share/openldap/schema/openssh-lpk_openldap.schema
 
 #include	/etc/openldap/schema/local.schema
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101104/5c4bc26c/attachment.html>