Ajoute une commande pour réinitialiser les ACLs d'une base

2015-03-19 23:32:20 +01:00 · 2015-03-19 23:32:20 +01:00 · 1818499ec7
parent b760512dc3
commit 1818499ec7
3 changed files with 37 additions and 2 deletions
--- a/lib/newdb
+++ b/lib/newdb
@ -131,8 +131,8 @@ olcAccess: {5}to dn.one="ou=groups,$SUFFIX" attrs=member
 # Branche structures
 olcAccess: {6}to dn.one="ou=structures,$SUFFIX" 
   by * read
-# Autorissation de recherche par tous les utilisateurs sur toute la base
-olcAccess: {6}to * by users search
+# Autorisation de recherche par tous les utilisateurs sur toute la base
+olcAccess: {7}to * by users search

 # Create accesslog DIT
 add olcDatabase={1}mdb,cn=config
--- a/lib/resetacl
+++ b/lib/resetacl
@ -0,0 +1,34 @@
+#!/bin/sh
+set -e
+
+if [ "x$1" = "x" ]; then
+	echo Suffix de la base à réinitialiser ?
+	echo -ne "> "
+	read SUFFIX
+else
+	SUFFIX="$1"
+fi
+
+DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1`
+
+if [ "x$DN" != "" ]; then 
+	LDIF=`tempfile`
+	cat <<EOF >$LDIF
+$DN
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage  by group.exact="cn=admin,ou=groups,$SUFFIX" manage   by * break
+olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI  by self write by * break
+olcAccess: {2}to dn.one="ou=groups,$SUFFIX"   by set="this/owner & user" manage   by * break
+olcAccess: {3}to dn.one="ou=groups,$SUFFIX" attrs=entry,cn,description,owner,supannRefId  by users read   by * break
+olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=member  by set="this/supannGroupeAdminDN/member* & user" write  by set="this/supannGroupeAdminDN & user" write  by set="this/supannGroupeLecteurDN/member* & user" read  by set="this/supannGroupeLecteurDN & user" read by dnattr=member search
+olcAccess: {5}to dn.one="ou=structures,$SUFFIX"   by * read
+olcAccess: {6}to dn.one="ou=people,$SUFFIX"  by self read by users read  by anonymous auth  by * none
+olcAccess: {7}to * by users search
+EOF
+	ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF 2>/dev/null >/dev/null
+	rm $LDIF
+	echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
+else
+	echo "ERREUR: Le suffixe $SUFFIX n'a pas été trouvé"
+fi
--- a/lib/resetacl.help
+++ b/lib/resetacl.help
@ -0,0 +1 @@
+Réinitialise les ACLs d'une base existante