[Mageia-sysadm] [134] Finalise registration ACLs

[root at mageia.org]

Revision: 134
Author:   buchan
Date:     2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)
Log Message:
-----------
Finalise registration ACLs
Restrict anonymous access (to none)
Add some additional ACLs to put back some access that previously relied on anonymous
Listen on all IP addresses, and ldapi
Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls

Modified Paths:
--------------
    puppet/modules/openldap/templates/ldap.sysconfig
    puppet/modules/openldap/templates/mandriva-dit-access.conf
    puppet/modules/openldap/templates/slapd.conf

Modified: puppet/modules/openldap/templates/ldap.sysconfig
===================================================================
--- puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 12:19:23 UTC (rev 134)
@@ -3,7 +3,7 @@
 SLAPDSYSLOGLOCALUSER="local4"
 
 # SLAPD URL list 
-SLAPDURLLIST="ldap://127.0.0.1/ ldaps://127.0.0.1/"
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
 
 # Config file to use for slapd
 #SLAPDCONF=/etc/openldap/slapd.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 12:19:23 UTC (rev 134)
@@ -85,11 +85,24 @@
 	by dnattr=owner write
 	by * break
 
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	attrs="objectClass" 
+	val="inetOrgperson" 
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+	by * +0 break
+
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	filter="(!(objectclass=posixAccount))"
+	attrs=cn,sn,gn,mail,entry,children
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+	by * +0 break
+
 # let the user change some of his/her attributes
 access to dn.subtree="ou=People,dc=mageia,dc=org"
 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
-	by * break
+	by * +0 break
 
 # create new accounts
 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -146,17 +159,7 @@
 	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
 	by * none
 
-# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
-	attrs="objectClass" 
-	val="inetOrgperson" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" write by * +0 break
 
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
-	attrs="cn,sn,gn,mail,entry,children" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a break
-	by * +0 break
-
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
 access to dn.one="ou=People,dc=mageia,dc=org"

Modified: puppet/modules/openldap/templates/slapd.conf
===================================================================
--- puppet/modules/openldap/templates/slapd.conf	2010-11-05 11:03:31 UTC (rev 133)
+++ puppet/modules/openldap/templates/slapd.conf	2010-11-05 12:19:23 UTC (rev 134)
@@ -40,6 +40,14 @@
 TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
 TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
 
+# Give ldapi connection some security
+localSSF 56
+# Require at least this security, so we allow:
+# ldapi
+# ldap+start_tls
+# ldaps
+security ssf=56
+
 loglevel 256
 
 database	bdb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html>