WMDE
/
puppet-wmdeit_ldap
2
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

ACLS implemenetd

This commit is contained in:
Tobias Herre 2020-08-27 19:08:54 +02:00
parent 89c64af144
commit a143e8639a
1 changed files with 74 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
manifests/init.pp
View File

@ -68,25 +68,60 @@ class wmdeit_ldap (
], ],
$ssldir = "/etc/ldap/ssl", $ssldir = "/etc/ldap/ssl",
$acls = [ $acl = {
# grant accces to domain admins # Super access to local root user
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break', '0 to *' => [
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break', 'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
'by * break',
],
# Admin rights for members of Admin group
'1 to *' => [
"by set=\"user & [cn=Admins,ou=Groups,$database]/member\" write",
'by * break'
],
# let users modify their passwords, and disable read acess to all others
'2 to attrs=userPassword,sambaNTPassword' => [
"by self write",
"by anonymous auth",
"by * none",
],
# let users read all
'3 to *' => [
"by anonymous break",
"by * read",
],
"4 to dn.subtree=\"$database\" attrs=entry,objectClass" => [
"by anonymous read",
"by * break",
],
'5 to *' => [
"by * none",
]
},
# 'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
# super acces to local root user # super acces to local root user
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break', # 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
# grant accces to domain admins
# 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# 'to * by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# let users modify their passwords # let users modify their passwords
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none', # 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
# 'to attrs=entry,children,objectClass,uid by anonymous read by * break',
'to attrs=entry,children,objectClass,uid by anonymous read by * break', # 'to * by anonymous none by * break',
'to * by anonymous none by * break', # 'to dn.base="" by * read',
# 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
'to dn.base="" by * read',
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
]
){ ){
$clientcert = $facts[clientcert] $clientcert = $facts[clientcert]
@ -263,33 +298,48 @@ class wmdeit_ldap (
rootpw => $rootpw, rootpw => $rootpw,
# syncrepl => $syncrepl, # syncrepl => $syncrepl,
mirrormode => $mirrormode, mirrormode => $mirrormode,
} #-> }
# openldap::server::overlay { "memberof on $database": ->
# ensure => present, openldap::server::overlay { "memberof on $database":
# } -> ensure => present,
}
# ->
# openldap::server::overlay { "syncprov on $database": # openldap::server::overlay { "syncprov on $database":
# ensure => present, # ensure => present,
# } -> # }
# openldap::server::overlay { "smbk5pwd on $database": ->
# ensure => present, openldap::server::overlay { "smbk5pwd on $database":
# } ensure => present,
}
# $acls.each |Integer $i, String $acl | { # $acls.each |Integer $i, $acl | {
# notify{"Set ACL $i $acl":}
# openldap::server::access { "{$i}$acl": # openldap::server::access { "{$i}$acl":
# openldap::server::access { "$i on $database":
# suffix => "$database", # suffix => "$database",
# ensure => present, # ensure => present,
# access => $acl['access'],
# what => $acl['to'],
# } # }
# } # }
#
openldap::server::access_wrapper { $database :
acl => $acl,
}
#'''''################################################################################################## #'''''##################################################################################################
# #
# #
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break': # openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
# suffix => "$database", # suffix => "$database",
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
# ensure => present, # ensure => present,
# } # }
#
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break': # openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database", # suffix => "$database",
# ensure => present, # ensure => present,