[re2o-ldap-replica] allow nounou to bind to the ldap with full access

2021-07-18 12:50:46 +02:00 · 2021-07-18 12:50:46 +02:00 · 1a90541a80
parent 6338010c40
commit 1a90541a80
1 changed files with 42 additions and 27 deletions
--- a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
+++ b/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
@ -1114,33 +1114,48 @@ objectClass: olcHdbConfig
 olcDatabase: {1}hdb
 olcDbDirectory: /var/lib/ldap
 olcSuffix: {{ re2o_ldap_replica.suffix }}
-olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * no
- ne
-olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn
- =usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * none
-olcAccess: {2}to dn.base="" by * read
-olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}" by group="cn=
- auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=re
- adonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by grou
- p="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by self r
- ead by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}"
-  read by group="cn=usermgmt,ou=services,ou=groups,dc=example,dc=or
- g" write
-olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}" by gro
- up="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group
- ="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {8}to * by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by self
-  read by group="cn=readonly,ou=services,ou=groups,dc=example,dc=or
- g" read
+olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by * none
+olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by * none
+olcAccess: {2}to dn.base=""
+        by * read
+olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+        by * read
+olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}"
+        by * read
+olcAccess: {8}to *
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
 olcLastMod: TRUE
 olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
 olcRootPW: {{ re2o_ldap_replica.root_password_hash }}