From 00826a8d14020e5d06834331ff53f761eb4333ad Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Mon, 13 May 2019 20:03:20 +0200
Subject: [PATCH] slapd: implement proper ACL

---
 roles/slapd/templates/slapd.conf.j2 | 31 +++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/roles/slapd/templates/slapd.conf.j2 b/roles/slapd/templates/slapd.conf.j2
index a35687d..7e35941 100644
--- a/roles/slapd/templates/slapd.conf.j2
+++ b/roles/slapd/templates/slapd.conf.j2
@@ -45,16 +45,39 @@ moduleload	syncprov.la
 # ACL
 #######################################################################
 
-access to dn.base="" by * read
-access to dn.base="cn=Subschema" by * read
+access to dn.base=""
+	by * read
+access to dn.base="cn=Subschema"
+	by * read
+access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=userPassword
+	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by anonymous auth
+	by * none
+access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=loginShell
+	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by users read
+	by * none
+access to dn.one="ou=people,dc=binary-kitchen,dc=de"
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by self read
+	by users read
+	by * none
+access to dn.one="ou=groups,dc=binary-kitchen,dc=de" attrs=memberUid
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by self read
+	by users read
+	by * none
 access to attrs=userPassword
 	by self write
 	by anonymous auth
-	by * read
+	by * none
 access to attrs=loginShell
 	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
 	by users read
-	by * read
+	by * none
 access to *
 	by self read
 	by users read