# This is a good place to put slapd access-control directives # Generic ACLs # These ACLs should work well for any domain-based (ie dc=,dc=) suffix, # but need adjustment and testing for any other suffix # Protect passwords, using a regex so we can have generic accounts with # write access # Openldap will not authenticate against non-userPassword attributes # but we would have to duplicate most rules ... access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$" attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword by self write by dn="uid=root,ou=People,$2" write by group="cn=Domain Controllers,ou=Group,$2" write by anonymous auth by * none # ACL allowing samba domain controllers to add user accounts access to dn="^(.*,)?ou=People,(dc=.+,?)+$$" attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount by dn="uid=root,ou=People,$2" write by group="cn=Domain Controllers,ou=Group,$2" write by * read # allow users to modify their own "address book" entries: access to dn="(.+,)+ou=People,(dc.+,?)+$$" attrs=inetOrgPerson,mail by self write by dn="uid=root,ou=People,$2" write by group="cn=Domain Controllers,ou=Group,$2" write by * read # Allow samba domain controllers to create groups and group mappings access to dn="^(.*,)?ou=Group,(dc=.+,?)+$$" attrs=entry,children,posixGroup,sambaGroupMapping by dn="uid=root,ou=People,$2" write by group="cn=Domain Controllers,ou=Group,$2" write by * read # Allow samba domain controllers to create machine accounts access to dn="^(.*,)?ou=Hosts,(dc=.+,?)+$$" attrs=entry,children,posixAccount,inetOrgperson by group="cn=Domain Controllers,ou=Group,$2" write by * read # Allow samba to create idmap entries (not well tested) access to dn="^(.*,)?ou=Idmap,(dc=.+,?)+$$" attrs=entry,children,sambaIdmapEntry by group="cn=Domain Controllers,ou=Group,$2" write by * read