153 lines
5.1 KiB
Bash
Executable File
153 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
function echoonerror {
|
|
LOG=`tempfile`
|
|
if ! "$@" >$LOG 2>&1; then
|
|
STATUS="$?"
|
|
cat $LOG
|
|
return $STATUS
|
|
fi
|
|
}
|
|
|
|
function confirm {
|
|
echo -n Voulez-vous $1 ? "(y/n) "
|
|
read OK
|
|
if [ "$OK" = "y" ]; then
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
if [ "x$1" = "x" ]; then
|
|
echo Suffix de la base à réinitialiser ?
|
|
echo -ne "> "
|
|
read SUFFIX
|
|
else
|
|
SUFFIX="$1"
|
|
fi
|
|
|
|
DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
|
|
DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
|
|
|
|
if [ "x$DN" != "" ]; then
|
|
LDIF=`tempfile`
|
|
cat <<EOF
|
|
La réinitialisation des ACLs supprimera vos ACLs locales les remplaçant par le
|
|
standard PSL, à ne faire qu'en connaissance de cause.
|
|
EOF
|
|
if confirm "remettre à zéro les ACLs"; then
|
|
cat <<EOF >$LDIF
|
|
dn: $DN
|
|
changetype: modify
|
|
replace: olcAccess
|
|
# Accès super-utilisateur
|
|
olcAccess: {0}to *
|
|
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
|
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
|
|
by * break
|
|
# Structure du DIT: tout le monde peut voir
|
|
olcAccess: {1}to dn.base="$SUFFIX"
|
|
by anonymous read
|
|
by * +rs break
|
|
olcAccess: {2}to dn.one="$SUFFIX"
|
|
by anonymous read
|
|
by * +rs break
|
|
# Branche people
|
|
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
|
|
by self write
|
|
by anonymous auth
|
|
by * none
|
|
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,telephoneNumber,mobile,labeledURI
|
|
by self write
|
|
by * break
|
|
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
|
|
by self read
|
|
by users read
|
|
by anonymous auth
|
|
by * none
|
|
# Branche groups
|
|
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
|
|
by set="this/owner & user" manage
|
|
by * break
|
|
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
|
|
by set="this/supannGroupeAdminDN/member* & user" write
|
|
by set="this/supannGroupeAdminDN & user" write
|
|
by set="this/supannGroupeLecteurDN/member* & user" read
|
|
by set="this/supannGroupeLecteurDN & user" read
|
|
by group.exact="cn=reader,ou=groups,$SUFFIX" read
|
|
by dnattr=member selfread
|
|
by * none
|
|
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
|
|
by users read
|
|
by * none
|
|
# Branche structure, tout le monde peut lire
|
|
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
|
|
by * read
|
|
olcAccess: {10}to *
|
|
by group.exact="cn=reader,ou=groups,$SUFFIX" +r
|
|
by users +s
|
|
EOF
|
|
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- directives olcAccess réinitialisées"
|
|
fi
|
|
cat <<EOF
|
|
La réinitialisation des directives olcDBIndex supprimera vos règles
|
|
d'indexation locales, si vous utilisez des attributs locaux qui nécessitent une
|
|
indexation cela pourrait produire des ralentissements.
|
|
EOF
|
|
if confirm "réinitialiser les directives olcDbIndex"; then
|
|
cat <<EOF >$LDIF
|
|
dn: $DN
|
|
changetype: modify
|
|
replace: olcDbIndex
|
|
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId,pslBadgeCSN eq
|
|
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
|
|
-
|
|
replace: olcDbMaxSize
|
|
olcDbMaxSize: 1073741824
|
|
EOF
|
|
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
|
|
echo "- directives olcDBIndex réinitialisées"
|
|
fi
|
|
|
|
# remove the displayname constraint
|
|
# NOTE: left parenthesis must be escaped with \28
|
|
# right parenthesis with \29
|
|
# stars with \2a
|
|
# backslash with \5c
|
|
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" "olcConstraintAttribute=displayName,sn,givenName set \"\\28this/givenName + [ ] + this/sn\\29 & this/displayName\" restrict=\"ldap:///ou=people,$SUFFIX??sub?\\28objectClass=\\2a\\29\"" 2>/dev/null | grep -q ^olcConstraintAttribute ; then
|
|
cat <<EOF >$LDIF
|
|
dn: $DN2
|
|
changetype: modify
|
|
delete: olcConstraintAttribute
|
|
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
|
EOF
|
|
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte displayName retiré"
|
|
fi
|
|
# remove the supannAliasLogin constraint
|
|
if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute='supannAliasLogin regex "^[[:alnum:]]+$"' 2>/dev/null | grep -q ^olcConstraintAttribute ; then
|
|
cat <<EOF >$LDIF
|
|
dn: $DN2
|
|
changetype: modify
|
|
delete: olcConstraintAttribute
|
|
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
|
|
EOF
|
|
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte supannAliasLogin retiré"
|
|
fi
|
|
# remove the pslBadgeCSN constraint
|
|
if (ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" 'olcConstraintAttribute=pslBadgeCSN regex "^[0-9A-F]{8,14}$"' 2>/dev/null | grep -q ^olc); then
|
|
cat <<EOF >$LDIF
|
|
dn: $DN2
|
|
changetype: modify
|
|
delete: olcConstraintAttribute
|
|
olcConstraintAttribute: pslBadgeCSN regex "^[0-9A-F]{8,14}$"
|
|
EOF
|
|
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte pslBadgeCSN ajouté"
|
|
fi
|
|
rm $LDIF
|
|
echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
|
|
else
|
|
echo "ERREUR: Le suffixe $SUFFIX n'a pas été trouvé"
|
|
fi
|