Restrict user to password, removed some out-commentd stuff

2020-08-27 20:22:01 +02:00 · 2020-08-27 20:22:01 +02:00 · 5e3e1e1cd4
parent 023f0167a7
commit 5e3e1e1cd4
1 changed files with 2 additions and 24 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -80,13 +80,13 @@ class wmdeit_ldap (
 			'by * break'
 		],
 		# let users modify their passwords, and disable read acess to all others
-		'2 to attrs=userPassword,sambaNTPassword' => [
+		'2 to attrs=userPassword' => [
 			"by self write",
 			"by anonymous auth",
 			"by * none",
 		],
 		# let users read all
-		'3 to *' => [
+		'3 to attr=entry,objectClass,givenName,cn,displayName' => [
 		        "by anonymous break",	
 			"by * read",
 		],
@ -101,28 +101,6 @@ class wmdeit_ldap (
 	},
 	#	'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
 		# super acces to local root user	
 	#	'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
 		# grant accces to domain admins	
 	#		'to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
 	#		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
 	#		'to *  by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
 	#		'to *  by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
 	# let users modify their passwords
 	#	'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
 	#	'to attrs=entry,children,objectClass,uid by anonymous read by * break',
 	#	'to * by anonymous none by * break',
 	#	'to dn.base="" by * read',
 	#	'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
 ){
 	$clientcert = $facts[clientcert]