From 5e3e1e1cd4c458001e5f69d3334c7a8bb124e453 Mon Sep 17 00:00:00 2001 From: tohe Date: Thu, 27 Aug 2020 20:22:01 +0200 Subject: [PATCH] Restrict user to password, removed some out-commentd stuff --- manifests/init.pp | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 9baf08a..01ad73e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -80,13 +80,13 @@ class wmdeit_ldap ( 'by * break' ], # let users modify their passwords, and disable read acess to all others - '2 to attrs=userPassword,sambaNTPassword' => [ + '2 to attrs=userPassword' => [ "by self write", "by anonymous auth", "by * none", ], # let users read all - '3 to *' => [ + '3 to attr=entry,objectClass,givenName,cn,displayName' => [ "by anonymous break", "by * read", ], @@ -101,28 +101,6 @@ class wmdeit_ldap ( }, - - # 'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break' - - # super acces to local root user - # 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break', - # grant accces to domain admins - # 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break', - # 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break', - # 'to * by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break', - # 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break', - - - # let users modify their passwords - # 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none', - - # 'to attrs=entry,children,objectClass,uid by anonymous read by * break', - - # 'to * by anonymous none by * break', - - # 'to dn.base="" by * read', - # 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read', - ){ $clientcert = $facts[clientcert]