From aac655b6c11918d0871f3fa619dd6a2106dab33b Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 24 Jun 2015 16:54:49 +0200
Subject: [PATCH] Make o=meta non readable by anonymous, add a branch for
 storing readers accounts (fixes #7672)

---
 share/add-meta.ldapvi | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/share/add-meta.ldapvi b/share/add-meta.ldapvi
index a05f127..3ee1bec 100644
--- a/share/add-meta.ldapvi
+++ b/share/add-meta.ldapvi
@@ -3,13 +3,30 @@ objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcSuffix: o=meta
 olcDbDirectory: /var/lib/ldap/meta/
-# Allow reading accesslog only by root
-olcAccess: {0}to *
+# Allow authentication of readers accounts
+olcAccess: {0}to dn.one="ou=readers,o=meta"
+   by anonymous auth
+   by * break
+# Allow reading meta by readers accounts
+olcAccess: {1}to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
-   by * read
+   by dn.one="ou=readers,o=meta" read
+   by * none
 olcLimits: {0}* size.pr=1000 size.prtotal=unlimited
 
 add o=meta
 objectClass: organization
 o: meta
 description: Méta-annuaire SUPANN
+
+add ou=readers,o=meta
+objectClass: organizationalUnit
+ou: readers
+
+add uid=reader,ou=readers,o=meta
+objectClass: inetOrgPerson
+uid: reader
+userPassword: reader
+gn: reader
+sn: reader
+cn: reader