[re2o-ldap-replica] allow nounou to bind to the ldap with full access

certbot_on_virtu
_shirenn 2021-07-18 12:50:46 +02:00 committed by Yohann D'ANELLO
parent 6338010c40
commit 1a90541a80
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
1 changed files with 42 additions and 27 deletions

View File

@ -1114,33 +1114,48 @@ objectClass: olcHdbConfig
olcDatabase: {1}hdb olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap olcDbDirectory: /var/lib/ldap
olcSuffix: {{ re2o_ldap_replica.suffix }} olcSuffix: {{ re2o_ldap_replica.suffix }}
olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail by self write by an olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group=" by self write
cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * no by anonymous auth
ne by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell by self write by an by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group=" by * none
cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * none by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
olcAccess: {2}to dn.base="" by * read by self write
olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}" by group="cn= by anonymous auth
auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=re by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
adonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by * read by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by grou by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
p="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by self r by * none
ead by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" olcAccess: {2}to dn.base=""
read by group="cn=usermgmt,ou=services,ou=groups,dc=example,dc=or by * read
g" write olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}"
olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}" by gro by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
up="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}" by * read olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
olcAccess: {8}to * by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by self by * read
read by group="cn=readonly,ou=services,ou=groups,dc=example,dc=or olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
g" read by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by self read
by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}"
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}"
by * read
olcAccess: {8}to *
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
by self read
by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
olcLastMod: TRUE olcLastMod: TRUE
olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }} olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
olcRootPW: {{ re2o_ldap_replica.root_password_hash }} olcRootPW: {{ re2o_ldap_replica.root_password_hash }}