entrouvert
/
slapd-supann
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
slapd-supann/lib/resetacl

96 lines
3.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
function echoonerror {
LOG=`tempfile`
if ! "$@" >$LOG 2>&1; then
STATUS="$?"
cat $LOG
return $STATUS
fi
}
if [ "x$1" = "x" ]; then
echo Suffix de la base à réinitialiser ?
echo -ne "> "
read SUFFIX
else
SUFFIX="$1"
fi
DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
if [ "x$DN" != "" ]; then
LDIF=`tempfile`
cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcAccess
# Accès super-utilisateur
olcAccess: {0}to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
by * break
# Structure du DIT: tout le monde peut voir
olcAccess: {1}to dn.base="$SUFFIX"
by anonymous read
by * +rs break
olcAccess: {2}to dn.one="$SUFFIX"
by anonymous read
by * +rs break
# Branche people
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI
by self write
by * break
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
by self read
by users read
by anonymous auth
by * none
# Branche groups
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
by set="this/owner & user" manage
by * break
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
by set="this/supannGroupeAdminDN/member* & user" write
by set="this/supannGroupeAdminDN & user" write
by set="this/supannGroupeLecteurDN/member* & user" read
by set="this/supannGroupeLecteurDN & user" read
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" read
by dnattr=member selfread
by * none
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
by users read
by * none
# Branche structure, tout le monde peut lire
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
by * read
olcAccess: {10}to *
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" +r
by users +s
-
replace: olcDbIndex
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
if echoonerror ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute=*displayName* >/dev/null; then
echo <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
EOF
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
fi
rm $LDIF
echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
else
echo "ERREUR: Le suffixe $SUFFIX n'a pas été trouvé"
fi
View Git Blame Copy Permalink