[Mageia-sysadm] [212] Close more anon access, and open up read access to some inetOrgPerson attrs to users

root at mageia.org root at mageia.org
Tue Nov 9 15:25:10 CET 2010


Revision: 212
Author:   buchan
Date:     2010-11-09 15:25:10 +0100 (Tue, 09 Nov 2010)
Log Message:
-----------
Close more anon access, and open up read access to some inetOrgPerson attrs to users

Modified Paths:
--------------
    puppet/modules/openldap/templates/mandriva-dit-access.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-09 02:21:57 UTC (rev 211)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-09 14:25:10 UTC (rev 212)
@@ -33,7 +33,7 @@
         attrs=shadowLastChange
         by self write
         by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-        by * read
+        by users read
 access to dn.subtree="dc=mageia,dc=org"
 	attrs=userPassword
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -53,7 +53,7 @@
 # password policies
 access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # samba password attributes
 # by self not strictly necessary, because samba uses its own admin user to
@@ -77,16 +77,18 @@
 access to dn.subtree="dc=mageia,dc=org"
 	attrs=pwdReset,pwdAccountLockedTime
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by self read
 
 # group owner can add/remove/edit members to groups
 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
 	attrs=member
 	by dnattr=owner write
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by users +sx
 
 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
 	attrs=cn,description,objectClass,gidNumber
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by users read
 
 # registration - allow registrar group to create basic unprivileged accounts
@@ -106,7 +108,7 @@
 access to dn.subtree="ou=People,dc=mageia,dc=org"
 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
-	by users +sx
+	by users read
 
 # create new accounts
 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -122,21 +124,21 @@
 access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
 	attrs=children,entry, at sambaDomain, at sambaUnixIdPool
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # samba ID mapping
 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
 	attrs=children,entry, at sambaIdmapEntry
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # global address book
 # XXX - which class(es) to use?
 access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
 	attrs=children,entry, at inetOrgPerson, at evolutionPerson, at evolutionPersonList
 	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # dhcp entries
 # XXX - open up read access to anybody?
@@ -150,13 +152,13 @@
 access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
 	attrs=children,entry, at sudoRole
 	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # dns
 access to dn="ou=dns,dc=mageia,dc=org"
 	attrs=entry, at extensibleObject
 	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 access to dn.sub="ou=dns,dc=mageia,dc=org"
 	attrs=children,entry, at dNSZone
 	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -169,7 +171,7 @@
 access to dn.one="ou=People,dc=mageia,dc=org"
 	attrs=@inetLocalMailRecipient,mail
 	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # KDE Configuration
 access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
@@ -178,5 +180,5 @@
 
 # last one
 access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
-	by * read
+	by users read
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101109/431b95e6/attachment-0001.html>


More information about the Mageia-sysadm mailing list