Modified to use group of members, some access rights added
This commit is contained in:
parent
726a33a0bf
commit
c396989424
|
|
@ -25,6 +25,7 @@ class wmdeit_ldap (
|
||||||
"rfc2307bis",
|
"rfc2307bis",
|
||||||
"krb5-kdc",
|
"krb5-kdc",
|
||||||
"samba",
|
"samba",
|
||||||
|
"ppolicy",
|
||||||
|
|
||||||
# "samba",
|
# "samba",
|
||||||
# "nis",
|
# "nis",
|
||||||
|
|
@ -79,24 +80,37 @@ class wmdeit_ldap (
|
||||||
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
||||||
'by * break'
|
'by * break'
|
||||||
],
|
],
|
||||||
|
# System rights for members of Adm group
|
||||||
|
'2 to *' => [
|
||||||
|
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
|
||||||
|
'by * break'
|
||||||
|
],
|
||||||
|
# System rights for members of Adm group
|
||||||
|
'3 to *' => [
|
||||||
|
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
|
||||||
|
'by * break'
|
||||||
|
],
|
||||||
|
|
||||||
# let users modify their passwords, and disable read acess to all others
|
# let users modify their passwords, and disable read acess to all others
|
||||||
'2 to attrs=userPassword' => [
|
# '4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
|
||||||
|
# '4 to attrs=userPassword filter=(!(shadowExpire=0))' => [
|
||||||
|
'4 to attrs=userPassword' => [
|
||||||
"by self write",
|
"by self write",
|
||||||
"by anonymous auth",
|
"by anonymous auth",
|
||||||
"by * none",
|
"by * none",
|
||||||
],
|
],
|
||||||
# let users read all
|
# let users read all
|
||||||
'3 to attr=entry,objectClass,givenName,cn,displayName' => [
|
'5 to attr=entry,objectClass,givenName,cn,displayName' => [
|
||||||
"by anonymous break",
|
"by anonymous break",
|
||||||
"by * read",
|
"by * read",
|
||||||
],
|
],
|
||||||
# let anonymous users list uids
|
# let anonymous users list uids
|
||||||
"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
||||||
"by anonymous read",
|
"by anonymous read",
|
||||||
"by * break",
|
"by * break",
|
||||||
],
|
],
|
||||||
# deny access to anything else
|
# deny access to anything else
|
||||||
'5 to *' => [
|
'7 to *' => [
|
||||||
"by * none",
|
"by * none",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
@ -119,7 +133,11 @@ class wmdeit_ldap (
|
||||||
} ->
|
} ->
|
||||||
openldap::server::module { 'syncprov':
|
openldap::server::module { 'syncprov':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
}
|
}
|
||||||
|
# openldap::server::module { 'ppolicy':
|
||||||
|
# ensure => absent,
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
package { "heimdal-kdc":
|
package { "heimdal-kdc":
|
||||||
|
|
@ -288,6 +306,9 @@ class wmdeit_ldap (
|
||||||
->
|
->
|
||||||
openldap::server::overlay { "memberof on $database":
|
openldap::server::overlay { "memberof on $database":
|
||||||
ensure => present,
|
ensure => present,
|
||||||
|
options => {
|
||||||
|
'olcMemberOfGroupOC' => 'groupOfMembers'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
->
|
->
|
||||||
openldap::server::overlay { "syncprov on $database":
|
openldap::server::overlay { "syncprov on $database":
|
||||||
|
|
@ -296,7 +317,11 @@ class wmdeit_ldap (
|
||||||
->
|
->
|
||||||
openldap::server::overlay { "smbk5pwd on $database":
|
openldap::server::overlay { "smbk5pwd on $database":
|
||||||
ensure => present,
|
ensure => present,
|
||||||
}
|
}
|
||||||
|
# openldap::server::overlay { "ppolicy on $database":
|
||||||
|
# ensure => absent,
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
# $acls.each |Integer $i, $acl | {
|
# $acls.each |Integer $i, $acl | {
|
||||||
# notify{"Set ACL $i $acl":}
|
# notify{"Set ACL $i $acl":}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue