[Mageia-sysadm] [212] Close more anon access, and open up read access to some inetOrgPerson attrs to users
root at mageia.org
root at mageia.org
Tue Nov 9 15:25:10 CET 2010
Revision: 212
Author: buchan
Date: 2010-11-09 15:25:10 +0100 (Tue, 09 Nov 2010)
Log Message:
-----------
Close more anon access, and open up read access to some inetOrgPerson attrs to users
Modified Paths:
--------------
puppet/modules/openldap/templates/mandriva-dit-access.conf
Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-09 02:21:57 UTC (rev 211)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-09 14:25:10 UTC (rev 212)
@@ -33,7 +33,7 @@
attrs=shadowLastChange
by self write
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.subtree="dc=mageia,dc=org"
attrs=userPassword
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -53,7 +53,7 @@
# password policies
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
@@ -77,16 +77,18 @@
access to dn.subtree="dc=mageia,dc=org"
attrs=pwdReset,pwdAccountLockedTime
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by self read
# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=member
by dnattr=owner write
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users +sx
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=cn,description,objectClass,gidNumber
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
@@ -106,7 +108,7 @@
access to dn.subtree="ou=People,dc=mageia,dc=org"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
- by users +sx
+ by users read
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -122,21 +124,21 @@
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
attrs=children,entry, at sambaDomain, at sambaUnixIdPool
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
attrs=children,entry, at sambaIdmapEntry
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
attrs=children,entry, at inetOrgPerson, at evolutionPerson, at evolutionPersonList
by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dhcp entries
# XXX - open up read access to anybody?
@@ -150,13 +152,13 @@
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
attrs=children,entry, at sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dns
access to dn="ou=dns,dc=mageia,dc=org"
attrs=entry, at extensibleObject
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.sub="ou=dns,dc=mageia,dc=org"
attrs=children,entry, at dNSZone
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -169,7 +171,7 @@
access to dn.one="ou=People,dc=mageia,dc=org"
attrs=@inetLocalMailRecipient,mail
by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# KDE Configuration
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
@@ -178,5 +180,5 @@
# last one
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
- by * read
+ by users read
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101109/431b95e6/attachment-0001.html>
More information about the Mageia-sysadm
mailing list