|
|
|
@ -68,25 +68,60 @@ class wmdeit_ldap (
|
|
|
|
|
],
|
|
|
|
|
$ssldir = "/etc/ldap/ssl",
|
|
|
|
|
|
|
|
|
|
$acls = [
|
|
|
|
|
# grant accces to domain admins
|
|
|
|
|
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
$acl = {
|
|
|
|
|
# Super access to local root user
|
|
|
|
|
'0 to *' => [
|
|
|
|
|
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
|
|
|
|
|
'by * break',
|
|
|
|
|
],
|
|
|
|
|
# Admin rights for members of Admin group
|
|
|
|
|
'1 to *' => [
|
|
|
|
|
"by set=\"user & [cn=Admins,ou=Groups,$database]/member\" write",
|
|
|
|
|
'by * break'
|
|
|
|
|
],
|
|
|
|
|
# let users modify their passwords, and disable read acess to all others
|
|
|
|
|
'2 to attrs=userPassword,sambaNTPassword' => [
|
|
|
|
|
"by self write",
|
|
|
|
|
"by anonymous auth",
|
|
|
|
|
"by * none",
|
|
|
|
|
],
|
|
|
|
|
# let users read all
|
|
|
|
|
'3 to *' => [
|
|
|
|
|
"by anonymous break",
|
|
|
|
|
"by * read",
|
|
|
|
|
],
|
|
|
|
|
"4 to dn.subtree=\"$database\" attrs=entry,objectClass" => [
|
|
|
|
|
"by anonymous read",
|
|
|
|
|
"by * break",
|
|
|
|
|
],
|
|
|
|
|
'5 to *' => [
|
|
|
|
|
"by * none",
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# 'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
|
|
|
|
|
|
|
|
|
|
# super acces to local root user
|
|
|
|
|
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
|
|
|
|
# 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
|
|
|
|
# grant accces to domain admins
|
|
|
|
|
# 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
# 'to * by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
|
|
|
|
|
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# let users modify their passwords
|
|
|
|
|
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
|
|
|
|
# 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
|
|
|
|
|
|
|
|
|
# 'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
|
|
|
|
|
|
|
|
|
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
|
|
|
|
# 'to * by anonymous none by * break',
|
|
|
|
|
|
|
|
|
|
'to * by anonymous none by * break',
|
|
|
|
|
|
|
|
|
|
'to dn.base="" by * read',
|
|
|
|
|
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
|
|
|
|
]
|
|
|
|
|
# 'to dn.base="" by * read',
|
|
|
|
|
# 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
|
|
|
|
|
|
|
|
|
){
|
|
|
|
|
$clientcert = $facts[clientcert]
|
|
|
|
@ -263,33 +298,48 @@ class wmdeit_ldap (
|
|
|
|
|
rootpw => $rootpw,
|
|
|
|
|
# syncrepl => $syncrepl,
|
|
|
|
|
mirrormode => $mirrormode,
|
|
|
|
|
} #->
|
|
|
|
|
# openldap::server::overlay { "memberof on $database":
|
|
|
|
|
# ensure => present,
|
|
|
|
|
# } ->
|
|
|
|
|
}
|
|
|
|
|
->
|
|
|
|
|
openldap::server::overlay { "memberof on $database":
|
|
|
|
|
ensure => present,
|
|
|
|
|
}
|
|
|
|
|
# ->
|
|
|
|
|
# openldap::server::overlay { "syncprov on $database":
|
|
|
|
|
# ensure => present,
|
|
|
|
|
# } ->
|
|
|
|
|
# openldap::server::overlay { "smbk5pwd on $database":
|
|
|
|
|
# ensure => present,
|
|
|
|
|
# }
|
|
|
|
|
->
|
|
|
|
|
openldap::server::overlay { "smbk5pwd on $database":
|
|
|
|
|
ensure => present,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# $acls.each |Integer $i, String $acl | {
|
|
|
|
|
# $acls.each |Integer $i, $acl | {
|
|
|
|
|
# notify{"Set ACL $i $acl":}
|
|
|
|
|
# openldap::server::access { "{$i}$acl":
|
|
|
|
|
# openldap::server::access { "$i on $database":
|
|
|
|
|
# suffix => "$database",
|
|
|
|
|
# ensure => present,
|
|
|
|
|
# access => $acl['access'],
|
|
|
|
|
# what => $acl['to'],
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
openldap::server::access_wrapper { $database :
|
|
|
|
|
acl => $acl,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#'''''##################################################################################################
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
|
|
|
# openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
|
|
|
|
|
# suffix => "$database",
|
|
|
|
|
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
|
# ensure => present,
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
|
|
|
# suffix => "$database",
|
|
|
|
|
# ensure => present,
|
|
|
|
|