[Mageia-sysadm] [634] - do not let user change their own memberOf attribute, ( even if the overlay may prevent it )
root at mageia.org
root at mageia.org
Thu Dec 16 13:49:49 CET 2010
Revision: 634
Author: misc
Date: 2010-12-16 13:49:49 +0100 (Thu, 16 Dec 2010)
Log Message:
-----------
- do not let user change their own memberOf attribute, ( even if the overlay may prevent it )
Modified Paths:
--------------
puppet/modules/openldap/templates/mandriva-dit-access.conf
Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-12-16 11:44:22 UTC (rev 633)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-12-16 12:49:49 UTC (rev 634)
@@ -113,10 +113,15 @@
# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
- attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey,memberOf
+ attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
by self write
by users read
+access to dn.subtree="ou=People,<%= dc_suffix %>"
+ attrs=memberOf
+ by users read
+
+
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
attrs=children,entry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101216/77ad8b90/attachment.html>
More information about the Mageia-sysadm
mailing list