slapd: implement proper ACL

2019-05-13 20:03:20 +02:00 · 2019-05-13 20:03:20 +02:00 · 00826a8d14
commit 00826a8d14
parent 6fec0e62bc
1 changed files with 27 additions and 4 deletions
--- a/roles/slapd/templates/slapd.conf.j2
+++ b/roles/slapd/templates/slapd.conf.j2
@ -45,16 +45,39 @@ moduleload	syncprov.la
 # ACL
 #######################################################################

-access to dn.base="" by * read
-access to dn.base="cn=Subschema" by * read
+access to dn.base=""
+	by * read
+access to dn.base="cn=Subschema"
+	by * read
+access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=userPassword
+	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by anonymous auth
+	by * none
+access to dn.one="ou=people,dc=binary-kitchen,dc=de" attrs=loginShell
+	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by users read
+	by * none
+access to dn.one="ou=people,dc=binary-kitchen,dc=de"
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by self read
+	by users read
+	by * none
+access to dn.one="ou=groups,dc=binary-kitchen,dc=de" attrs=memberUid
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
+	by self read
+	by users read
+	by * none
 access to attrs=userPassword
 	by self write
 	by anonymous auth
-	by * read
+	by * none
 access to attrs=loginShell
 	by self write
+	by group="cn=admin,dc=binary-kitchen,dc=de" write
 	by users read
-	by * read
+	by * none
 access to *
 	by self read
 	by users read