Sophie

Sophie

distrib > Mageia > 1 > i586 > by-pkgid > 67eae7267ce85b149cf5ed7a74457ffa > files > 39

openldap-2.4.25-1.mga1.src.rpm

# This configuration file contains default ACLs that attempt to cater
# to most setups, specifically unix authentication, samba's ldapsam backend
# and allowing users to have a shared address book
# If these ACLs don't meet your needs, please do not modify the file in-place,
# but rather make a copy, and change the include directive in slapd.conf
# This file is *not* marked as noreplace, so it will be replaced during an
# upgrade, this is done so that we can ensure that the ACLs are in sync with
# the schema files they require.

# The root DIT should be accessible to all clients
access to dn.exact=""
	by * read

# So should the schema
access to dn.subtree="cn=Subschema"
	by * read

# Generic ACLs
# These ACLs should work well for any domain-based (ie dc=,dc=) suffix,
# but need adjustment and testing for any other suffix
# Note that these ACLs allow anonymous read access to most non-password 
# attributes, you may want to prevent leakage of this information by 
# removing the "by anonymous read" lines
# Regex-based ACLs also impose a performance penalty, replace
# for example dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" with
# dn.subtree="ou=People,dc=example,dc=com" and all $2's with dc=example,dc=com
# if you need the extra performance

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet
        by self write
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by anonymous auth
        by * none

# ACL allowing samba domain controllers to write their domain info
access to dn.regex="^sambaDomainName=([^,]+),(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=entry,children,sambaDomain
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# ACL allowing samba domain controllers to add user accounts
access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=entry,children,posixAccount,sambaSamAccount
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# allow users to modify their own "address book" entries:
access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=inetOrgPerson,mail
        by self write
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# Allow samba domain controllers to create groups and group mappings
access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=entry,children,posixGroup,sambaGroupMapping
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# Allow samba domain controllers to create machine accounts
access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# Allow samba to create idmap entries
access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=entry,children,sambaIdmapEntry
        by dn.exact,expand="uid=root,ou=People,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
	by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

# Allow users in the domain to add entries to the "global address book":
# For use with Evolution, the attrs list could be modified to be:
# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
# if evolutionperson.schema and calendar.schema are available
access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=children,entry,inetOrgPerson
        by dn.sub,expand="ou=People,$2" write
        by group.expand="cn=Replicator,ou=Group,$2" write
        by users read
	by anonymous read

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional