Modified to use group of members, some access rights added

This commit is contained in:
Tobias Herre 2021-05-28 20:27:13 +02:00
parent 726a33a0bf
commit c396989424
1 changed files with 31 additions and 6 deletions

View File

@ -25,6 +25,7 @@ class wmdeit_ldap (
"rfc2307bis", "rfc2307bis",
"krb5-kdc", "krb5-kdc",
"samba", "samba",
"ppolicy",
# "samba", # "samba",
# "nis", # "nis",
@ -79,24 +80,37 @@ class wmdeit_ldap (
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write", "by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
'by * break' 'by * break'
], ],
# System rights for members of Adm group
'2 to *' => [
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
'by * break'
],
# System rights for members of Adm group
'3 to *' => [
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
'by * break'
],
# let users modify their passwords, and disable read acess to all others # let users modify their passwords, and disable read acess to all others
'2 to attrs=userPassword' => [ # '4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
# '4 to attrs=userPassword filter=(!(shadowExpire=0))' => [
'4 to attrs=userPassword' => [
"by self write", "by self write",
"by anonymous auth", "by anonymous auth",
"by * none", "by * none",
], ],
# let users read all # let users read all
'3 to attr=entry,objectClass,givenName,cn,displayName' => [ '5 to attr=entry,objectClass,givenName,cn,displayName' => [
"by anonymous break", "by anonymous break",
"by * read", "by * read",
], ],
# let anonymous users list uids # let anonymous users list uids
"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [ "6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
"by anonymous read", "by anonymous read",
"by * break", "by * break",
], ],
# deny access to anything else # deny access to anything else
'5 to *' => [ '7 to *' => [
"by * none", "by * none",
] ]
@ -120,6 +134,10 @@ class wmdeit_ldap (
openldap::server::module { 'syncprov': openldap::server::module { 'syncprov':
ensure => present, ensure => present,
} }
# openldap::server::module { 'ppolicy':
# ensure => absent,
# }
package { "heimdal-kdc": package { "heimdal-kdc":
@ -288,6 +306,9 @@ class wmdeit_ldap (
-> ->
openldap::server::overlay { "memberof on $database": openldap::server::overlay { "memberof on $database":
ensure => present, ensure => present,
options => {
'olcMemberOfGroupOC' => 'groupOfMembers'
}
} }
-> ->
openldap::server::overlay { "syncprov on $database": openldap::server::overlay { "syncprov on $database":
@ -297,6 +318,10 @@ class wmdeit_ldap (
openldap::server::overlay { "smbk5pwd on $database": openldap::server::overlay { "smbk5pwd on $database":
ensure => present, ensure => present,
} }
# openldap::server::overlay { "ppolicy on $database":
# ensure => absent,
# }
# $acls.each |Integer $i, $acl | { # $acls.each |Integer $i, $acl | {
# notify{"Set ACL $i $acl":} # notify{"Set ACL $i $acl":}