ACLS implemenetd
This commit is contained in:
parent
89c64af144
commit
a143e8639a
|
@ -68,25 +68,60 @@ class wmdeit_ldap (
|
|||
],
|
||||
$ssldir = "/etc/ldap/ssl",
|
||||
|
||||
$acls = [
|
||||
# grant accces to domain admins
|
||||
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
$acl = {
|
||||
# Super access to local root user
|
||||
'0 to *' => [
|
||||
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
|
||||
'by * break',
|
||||
],
|
||||
# Admin rights for members of Admin group
|
||||
'1 to *' => [
|
||||
"by set=\"user & [cn=Admins,ou=Groups,$database]/member\" write",
|
||||
'by * break'
|
||||
],
|
||||
# let users modify their passwords, and disable read acess to all others
|
||||
'2 to attrs=userPassword,sambaNTPassword' => [
|
||||
"by self write",
|
||||
"by anonymous auth",
|
||||
"by * none",
|
||||
],
|
||||
# let users read all
|
||||
'3 to *' => [
|
||||
"by anonymous break",
|
||||
"by * read",
|
||||
],
|
||||
"4 to dn.subtree=\"$database\" attrs=entry,objectClass" => [
|
||||
"by anonymous read",
|
||||
"by * break",
|
||||
],
|
||||
'5 to *' => [
|
||||
"by * none",
|
||||
]
|
||||
|
||||
|
||||
},
|
||||
|
||||
|
||||
# 'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
|
||||
|
||||
# super acces to local root user
|
||||
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
||||
|
||||
# let users modify their passwords
|
||||
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
||||
# 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
||||
# grant accces to domain admins
|
||||
# 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
# 'to * by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
|
||||
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
|
||||
|
||||
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
||||
# let users modify their passwords
|
||||
# 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
||||
|
||||
'to * by anonymous none by * break',
|
||||
# 'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
||||
|
||||
'to dn.base="" by * read',
|
||||
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
||||
]
|
||||
# 'to * by anonymous none by * break',
|
||||
|
||||
# 'to dn.base="" by * read',
|
||||
# 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
||||
|
||||
){
|
||||
$clientcert = $facts[clientcert]
|
||||
|
@ -263,33 +298,48 @@ class wmdeit_ldap (
|
|||
rootpw => $rootpw,
|
||||
# syncrepl => $syncrepl,
|
||||
mirrormode => $mirrormode,
|
||||
} #->
|
||||
# openldap::server::overlay { "memberof on $database":
|
||||
# ensure => present,
|
||||
# } ->
|
||||
}
|
||||
->
|
||||
openldap::server::overlay { "memberof on $database":
|
||||
ensure => present,
|
||||
}
|
||||
# ->
|
||||
# openldap::server::overlay { "syncprov on $database":
|
||||
# ensure => present,
|
||||
# } ->
|
||||
# openldap::server::overlay { "smbk5pwd on $database":
|
||||
# ensure => present,
|
||||
# }
|
||||
->
|
||||
openldap::server::overlay { "smbk5pwd on $database":
|
||||
ensure => present,
|
||||
}
|
||||
|
||||
# $acls.each |Integer $i, String $acl | {
|
||||
# $acls.each |Integer $i, $acl | {
|
||||
# notify{"Set ACL $i $acl":}
|
||||
# openldap::server::access { "{$i}$acl":
|
||||
# openldap::server::access { "$i on $database":
|
||||
# suffix => "$database",
|
||||
# ensure => present,
|
||||
# access => $acl['access'],
|
||||
# what => $acl['to'],
|
||||
# }
|
||||
# }
|
||||
#
|
||||
|
||||
openldap::server::access_wrapper { $database :
|
||||
acl => $acl,
|
||||
}
|
||||
|
||||
|
||||
|
||||
#'''''##################################################################################################
|
||||
#
|
||||
#
|
||||
|
||||
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
||||
# openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
|
||||
# suffix => "$database",
|
||||
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
||||
# ensure => present,
|
||||
# }
|
||||
|
||||
#
|
||||
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
|
||||
# suffix => "$database",
|
||||
# ensure => present,
|
||||
|
|
Loading…
Reference in New Issue