diff --git a/lib/newdb b/lib/newdb index 05e84a2..aa12594 100755 --- a/lib/newdb +++ b/lib/newdb @@ -100,40 +100,50 @@ olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRef olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub # Accès super-utilisateur olcAccess: {0}to * - by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage - by group.exact="cn=admin,ou=groups,$SUFFIX" manage - by * break + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by group.exact="cn=admin,ou=groups,$SUFFIX" manage + by * break +# Structure du DIT: tout le monde peut voir +olcAccess: {1}to dn.base="$SUFFIX" + by anonymous read + by * +rs break +olcAccess: {2}to dn.one="$SUFFIX" + by anonymous read + by * +rs break # Branche people -olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI - by self write - by * break -# Les accès aux autres attributs utilisateurs -olcAccess: {2}to dn.one="ou=people,$SUFFIX" - by users read - by anonymous auth - by * none +olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword + by self write + by anonymous auth + by * none +olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI + by self write + by * break +olcAccess: {5}to dn.one="ou=people,$SUFFIX" + by self read + by users read + by anonymous auth + by * none # Branche groups -# Le propriétaire du groupe -olcAccess: {3}to dn.one="ou=groups,$SUFFIX" - by set="this/owner & user" manage - by * break -# Les utilisateurs en général sur les attributs descriptifs -olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner,supannRefId - by users read - by * break -# Les admin et lecteur des membres du groupe -# les membres peuvent trouver leurs groupes -olcAccess: {5}to dn.one="ou=groups,$SUFFIX" attrs=member - by set="this/supannGroupeAdminDN/member* & user" write - by set="this/supannGroupeAdminDN & user" write - by set="this/supannGroupeLecteurDN/member* & user" read - by set="this/supannGroupeLecteurDN & user" read - by dnattr=member search -# Branche structures -olcAccess: {6}to dn.one="ou=structures,$SUFFIX" - by * read -# Autorisation de recherche par tous les utilisateurs sur toute la base -olcAccess: {7}to * by users search +olcAccess: {6}to dn.one="ou=groups,$SUFFIX" + by set="this/owner & user" manage + by * break +olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member + by set="this/supannGroupeAdminDN/member* & user" write + by set="this/supannGroupeAdminDN & user" write + by set="this/supannGroupeLecteurDN/member* & user" read + by set="this/supannGroupeLecteurDN & user" read + by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" read + by dnattr=member selfread + by * none +olcAccess: {8}to dn.one="ou=groups,$SUFFIX" + by users read + by * none +# Branche structure, tout le monde peut lire +olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX" + by * read +olcAccess: {10}to * + by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" +r + by users +s # Create accesslog DIT add olcDatabase={1}mdb,cn=config @@ -141,7 +151,7 @@ objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcSuffix: cn=accesslog,$SUFFIX olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/ -olcAccess: {0}to * +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group=cn=admin,ou=groupes,$SUFFIX manage by * break @@ -171,8 +181,8 @@ add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint -olcRefintAttribute: member - eduPersonOrgDN +olcRefintAttribute: member + eduPersonOrgDN eduPersonOrgUnitDN owner eduPersonPrimaryOrgUnitDN @@ -186,26 +196,26 @@ objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: {3}constraint # un seul cn pour les utilisateurs -olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" -#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" -olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)" -olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)" -olcConstraintAttribute: dc regex "^[a-z0-9-]*$" -olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$" -olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$" -olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$" +olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" +#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" +olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)" +olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)" +olcConstraintAttribute: dc regex "^[a-z0-9-]*$" +olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$" +olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$" +olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$" olcConstraintAttribute: mail count 1 -olcConstraintAttribute: mail,supannMailPerso,supannAutreMail - regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" -# olcConstraintAttribute: mailForwardingAddress +olcConstraintAttribute: mail,supannMailPerso,supannAutreMail + regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" +# olcConstraintAttribute: mailForwardingAddress regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid -olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$" +olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$" olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri ldap:///ou=structures,$SUFFIX?supannCodeEntite?sub?(objectClass=supannEntite) olcConstraintAttribute: supannCodeINE count 1 olcConstraintAttribute: supannEmpId count 1 # FIXME: syntex regex pas bonne -olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$" -olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$" +olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$" +olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$" # attribut issu d'une nomenclature olcConstraintAttribute: supannEtablissement, supannEtuDiplome, @@ -214,8 +224,8 @@ olcConstraintAttribute: supannEtablissement, supannEtuRegimeInscription, supannEtuSecteurDisciplinaire, supannEtuTypeDiplome, - regex "^\{[^}]+\}.*$" -olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$" + regex "^\{[^}]+\}.*$" +olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$" add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig diff --git a/lib/resetacl b/lib/resetacl index 8320d82..f616002 100755 --- a/lib/resetacl +++ b/lib/resetacl @@ -1,6 +1,15 @@ -#!/bin/sh +#!/bin/bash set -e +function echoonerror { + LOG=`tempfile` + if ! "$@" >$LOG 2>&1; then + STATUS="$?" + cat $LOG + return $STATUS + fi +} + if [ "x$1" = "x" ]; then echo Suffix de la base à réinitialiser ? echo -ne "> " @@ -12,31 +21,73 @@ fi DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'` DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'` -if [ "x$DN" != "" ]; then +if [ "x$DN" != "" ]; then LDIF=`tempfile` cat <$LDIF dn: $DN changetype: modify replace: olcAccess -olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by group.exact="cn=admin,ou=groups,$SUFFIX" manage by * break -olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI by self write by * break -olcAccess: {2}to dn.one="ou=groups,$SUFFIX" by set="this/owner & user" manage by * break -olcAccess: {3}to dn.one="ou=groups,$SUFFIX" attrs=entry,cn,description,owner,supannRefId by users read by * break -olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=member by set="this/supannGroupeAdminDN/member* & user" write by set="this/supannGroupeAdminDN & user" write by set="this/supannGroupeLecteurDN/member* & user" read by set="this/supannGroupeLecteurDN & user" read by dnattr=member search -olcAccess: {5}to dn.one="ou=structures,$SUFFIX" by * read -olcAccess: {6}to dn.one="ou=people,$SUFFIX" by self read by users read by anonymous auth by * none -olcAccess: {7}to * by users search +# Accès super-utilisateur +olcAccess: {0}to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by group.exact="cn=admin,ou=groups,$SUFFIX" manage + by * break +# Structure du DIT: tout le monde peut voir +olcAccess: {1}to dn.base="$SUFFIX" + by anonymous read + by * +rs break +olcAccess: {2}to dn.one="$SUFFIX" + by anonymous read + by * +rs break +# Branche people +olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword + by self write + by anonymous auth + by * none +olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI + by self write + by * break +olcAccess: {5}to dn.one="ou=people,$SUFFIX" + by self read + by users read + by anonymous auth + by * none +# Branche groups +olcAccess: {6}to dn.one="ou=groups,$SUFFIX" + by set="this/owner & user" manage + by * break +olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member + by set="this/supannGroupeAdminDN/member* & user" write + by set="this/supannGroupeAdminDN & user" write + by set="this/supannGroupeLecteurDN/member* & user" read + by set="this/supannGroupeLecteurDN & user" read + by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" read + by dnattr=member selfread + by * none +olcAccess: {8}to dn.one="ou=groups,$SUFFIX" + by users read + by * none +# Branche structure, tout le monde peut lire +olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX" + by * read +olcAccess: {10}to * + by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" +r + by users +s - replace: olcDbIndex olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub - +EOF + echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF + if echoonerror ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute=*displayName* >/dev/null; then + echo <$LDIF dn: $DN2 changetype: modify delete: olcConstraintAttribute -olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" +olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" EOF - ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF 2>/dev/null >/dev/null + echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF + fi rm $LDIF echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée." else