# This is a good place to put slapd access-control directives


# Generic ACLs
# These ACLs should work well for any domain-based (ie dc=,dc=) suffix,
# but need adjustment and testing for any other suffix

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
        attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
        by self write
        by dn="uid=root,ou=People,$2" write
        by group="cn=Domain Controllers,ou=Group,$2" write
        by anonymous auth
        by * none

# ACL allowing samba domain controllers to add user accounts
access to dn="^(.*,)?ou=People,(dc=.+,?)+$$"
        attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount
        by dn="uid=root,ou=People,$2" write
        by group="cn=Domain Controllers,ou=Group,$2" write
        by * read

# allow users to modify their own "address book" entries:
access to dn="(.+,)+ou=People,(dc.+,?)+$$"
        attrs=inetOrgPerson,mail
        by self write
        by dn="uid=root,ou=People,$2" write
        by group="cn=Domain Controllers,ou=Group,$2" write
        by * read

# Allow samba domain controllers to create groups and group mappings
access to dn="^(.*,)?ou=Group,(dc=.+,?)+$$"
        attrs=entry,children,posixGroup,sambaGroupMapping
        by dn="uid=root,ou=People,$2" write
        by group="cn=Domain Controllers,ou=Group,$2" write
        by * read

# Allow samba domain controllers to create machine accounts
access to dn="^(.*,)?ou=Hosts,(dc=.+,?)+$$"
        attrs=entry,children,posixAccount,inetOrgperson
        by group="cn=Domain Controllers,ou=Group,$2" write
        by * read

# Allow samba to create idmap entries (not well tested)
access to dn="^(.*,)?ou=Idmap,(dc=.+,?)+$$"
        attrs=entry,children,sambaIdmapEntry
        by group="cn=Domain Controllers,ou=Group,$2" write
        by * read