From c396989424de647c5cdc4b7b9e88558dfa03545a Mon Sep 17 00:00:00 2001
From: tohe <tobias.herre@wikimedia.de>
Date: Fri, 28 May 2021 20:27:13 +0200
Subject: [PATCH] Modified to use group of members, some access rights added

---
 manifests/init.pp | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index cbbb6ba..a48b62a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -25,6 +25,7 @@ class wmdeit_ldap (
 		"rfc2307bis",
 		"krb5-kdc",
 		"samba",
+		"ppolicy",
 
 #		"samba",
 #		"nis",
@@ -79,24 +80,37 @@ class wmdeit_ldap (
 			"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
 			'by * break'
 		],
+		# System rights for members of Adm group
+		'2 to *' => [
+			"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
+			'by * break'
+		],
+		# System rights for members of Adm group
+		'3 to *' => [
+			"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
+			'by * break'
+		],
+
 		# let users modify their passwords, and disable read acess to all others
-		'2 to attrs=userPassword' => [
+#		'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
+#		'4 to attrs=userPassword filter=(!(shadowExpire=0))' => [
+		'4 to attrs=userPassword' => [
 			"by self write",
 			"by anonymous auth",
 			"by * none",
 		],
 		# let users read all
-		'3 to attr=entry,objectClass,givenName,cn,displayName' => [
+		'5 to attr=entry,objectClass,givenName,cn,displayName' => [
 		        "by anonymous break",	
 			"by * read",
 		],
 		# let anonymous users list uids
-		"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
+		"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
 		        "by anonymous read",
 			"by * break",
 		],
 		# deny access to anything else
-		'5 to *' => [
+		'7 to *' => [
 		        "by * none",	
 		]
 
@@ -119,7 +133,11 @@ class wmdeit_ldap (
 	} -> 
 	openldap::server::module { 'syncprov':
 		ensure => present,
-	}  
+	} 
+#	openldap::server::module { 'ppolicy':
+#		ensure => absent,
+#	}  
+
 
 
 	package { "heimdal-kdc": 
@@ -288,6 +306,9 @@ class wmdeit_ldap (
 	->
 	openldap::server::overlay { "memberof on $database":
 		ensure => present,
+		options => {
+			'olcMemberOfGroupOC' => 'groupOfMembers'
+		}
 	} 
 	-> 
 	openldap::server::overlay { "syncprov on $database":
@@ -296,7 +317,11 @@ class wmdeit_ldap (
 	->
 	openldap::server::overlay { "smbk5pwd on $database":
 		ensure => present,
-	}
+	} 
+#	openldap::server::overlay { "ppolicy on $database":
+#		ensure => absent,
+#	}
+
 
 #	$acls.each |Integer $i, $acl | {
 #		notify{"Set ACL $i $acl":}