corrige les ACLs par défaut dans newdb

lib/newdb

@@ -90,11 +90,38 @@ olcMaxDerefDepth: 0
 olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
 olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited  size.hard=unlimited  time.soft=unlimited  time.hard=unlimited
 olcReadOnly: FALSE
-olcAccess: {0}to * 
-  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
-  by group=cn=admin,ou=groupes,$SUFFIX manage
-  by * break
-# *FIXME apply more thinking to ACLs*
+# Accès super-utilisateur
+olcAccess: {0}to *
+   by dn.regex="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+   by group.exact="cn=admin,ou=groups,$SUFFIX" manage 
+   by * break
+# Branche people
+olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
+   by self write break
+   by * break
+# Les accès aux autres attributs utilisateurs
+olcAccess: {2}to dn.one="ou=people,$SUFFIX"
+   by users read
+   by anonymous auth
+   by * none
+# Branche groups
+# Le propriétaire du groupe
+olcAccess: {3}to dn.one="ou=groups,$SUFFIX" 
+   by set="this/owner & user" manage 
+   by * break
+# Les utilisateurs en général sur les attributs descriptifs
+olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner,supannRefId
+   by users read 
+   by * break
+# Les admin et lecteur des membres du groupe
+olcAccess: {5}to dn.one="ou=groups,$SUFFIX" attrs=member
+   by set="this/supannGroupeAdminDN/member* & user" write
+   by set="this/supannGroupeAdminDN & user" write
+   by set="this/supannGroupeLecteurDN/member* & user" read
+   by set="this/supannGroupeLecteurDN & user" read
+# Branche structures
+olcAccess: {6}to dn.one="ou=structures,$SUFFIX" 
+   by * read
 
 # Create accesslog DIT
 add olcDatabase={1}mdb,cn=config