# This configuration file contains default ACLs that attempt to cater # to most setups, specifically unix authentication, samba's ldapsam backend # and allowing users to have a shared address book # If these ACLs don't meet your needs, please do not modify the file in-place, # but rather make a copy, and change the include directive in slapd.conf # This file is *not* marked as noreplace, so it will be replaced during an # upgrade, this is done so that we can ensure that the ACLs are in sync with # the schema files they require. # The root DIT should be accessible to all clients access to dn.exact="" by * read # So should the schema access to dn.subtree="cn=Subschema" by * read # Generic ACLs # These ACLs should work well for any domain-based (ie dc=,dc=) suffix, # but need adjustment and testing for any other suffix # Note that these ACLs allow anonymous read access to most non-password # attributes, you may want to prevent leakage of this information by # removing the "by anonymous read" lines # Regex-based ACLs also impose a performance penalty, replace # for example dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" with # dn.subtree="ou=People,dc=example,dc=com" and all $2's with dc=example,dc=com # if you need the extra performance # Protect passwords, using a regex so we can have generic accounts with # write access # Openldap will not authenticate against non-userPassword attributes # but we would have to duplicate most rules ... access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$" attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet by self write by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by anonymous auth by * none # ACL allowing samba domain controllers to write their domain info access to dn.regex="^sambaDomainName=([^,]+),(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,sambaDomain by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # ACL allowing samba domain controllers to add user accounts access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,sambaSamAccount by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # allow users to modify their own "address book" entries: access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=inetOrgPerson,mail by self write by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba domain controllers to create groups and group mappings access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixGroup,sambaGroupMapping by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba domain controllers to create machine accounts access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba to create idmap entries access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,sambaIdmapEntry by dn.exact,expand="uid=root,ou=People,$2" write by group.expand="cn=Domain Controllers,ou=Group,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow users in the domain to add entries to the "global address book": # For use with Evolution, the attrs list could be modified to be: # attrs=children,entry,inetOrgPerson,evolutionperson,calEntry # if evolutionperson.schema and calendar.schema are available access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=children,entry,inetOrgPerson by dn.sub,expand="ou=People,$2" write by group.expand="cn=Replicator,ou=Group,$2" write by users read by anonymous read