corrige les ACLs par défaut dans newdb
This commit is contained in:
parent
3bad35d77c
commit
ee200ceb1d
37
lib/newdb
37
lib/newdb
|
@ -90,11 +90,38 @@ olcMaxDerefDepth: 0
|
|||
olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
|
||||
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
|
||||
olcReadOnly: FALSE
|
||||
olcAccess: {0}to *
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by group=cn=admin,ou=groupes,$SUFFIX manage
|
||||
by * break
|
||||
# *FIXME apply more thinking to ACLs*
|
||||
# Accès super-utilisateur
|
||||
olcAccess: {0}to *
|
||||
by dn.regex="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
|
||||
by * break
|
||||
# Branche people
|
||||
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
|
||||
by self write break
|
||||
by * break
|
||||
# Les accès aux autres attributs utilisateurs
|
||||
olcAccess: {2}to dn.one="ou=people,$SUFFIX"
|
||||
by users read
|
||||
by anonymous auth
|
||||
by * none
|
||||
# Branche groups
|
||||
# Le propriétaire du groupe
|
||||
olcAccess: {3}to dn.one="ou=groups,$SUFFIX"
|
||||
by set="this/owner & user" manage
|
||||
by * break
|
||||
# Les utilisateurs en général sur les attributs descriptifs
|
||||
olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner,supannRefId
|
||||
by users read
|
||||
by * break
|
||||
# Les admin et lecteur des membres du groupe
|
||||
olcAccess: {5}to dn.one="ou=groups,$SUFFIX" attrs=member
|
||||
by set="this/supannGroupeAdminDN/member* & user" write
|
||||
by set="this/supannGroupeAdminDN & user" write
|
||||
by set="this/supannGroupeLecteurDN/member* & user" read
|
||||
by set="this/supannGroupeLecteurDN & user" read
|
||||
# Branche structures
|
||||
olcAccess: {6}to dn.one="ou=structures,$SUFFIX"
|
||||
by * read
|
||||
|
||||
# Create accesslog DIT
|
||||
add olcDatabase={1}mdb,cn=config
|
||||
|
|
Reference in New Issue