Rewrite ACLs
- everybody (even anonymous) can read base dn, ou and structures - add a new reader group - user can see themselves in groups
This commit is contained in:
parent
dbfb82f540
commit
babb3908ad
112
lib/newdb
112
lib/newdb
|
|
@ -100,40 +100,50 @@ olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRef
|
|||
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
|
||||
# Accès super-utilisateur
|
||||
olcAccess: {0}to *
|
||||
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
|
||||
by * break
|
||||
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
|
||||
by * break
|
||||
# Structure du DIT: tout le monde peut voir
|
||||
olcAccess: {1}to dn.base="$SUFFIX"
|
||||
by anonymous read
|
||||
by * +rs break
|
||||
olcAccess: {2}to dn.one="$SUFFIX"
|
||||
by anonymous read
|
||||
by * +rs break
|
||||
# Branche people
|
||||
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI
|
||||
by self write
|
||||
by * break
|
||||
# Les accès aux autres attributs utilisateurs
|
||||
olcAccess: {2}to dn.one="ou=people,$SUFFIX"
|
||||
by users read
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI
|
||||
by self write
|
||||
by * break
|
||||
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
|
||||
by self read
|
||||
by users read
|
||||
by anonymous auth
|
||||
by * none
|
||||
# Branche groups
|
||||
# Le propriétaire du groupe
|
||||
olcAccess: {3}to dn.one="ou=groups,$SUFFIX"
|
||||
by set="this/owner & user" manage
|
||||
by * break
|
||||
# Les utilisateurs en général sur les attributs descriptifs
|
||||
olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner,supannRefId
|
||||
by users read
|
||||
by * break
|
||||
# Les admin et lecteur des membres du groupe
|
||||
# les membres peuvent trouver leurs groupes
|
||||
olcAccess: {5}to dn.one="ou=groups,$SUFFIX" attrs=member
|
||||
by set="this/supannGroupeAdminDN/member* & user" write
|
||||
by set="this/supannGroupeAdminDN & user" write
|
||||
by set="this/supannGroupeLecteurDN/member* & user" read
|
||||
by set="this/supannGroupeLecteurDN & user" read
|
||||
by dnattr=member search
|
||||
# Branche structures
|
||||
olcAccess: {6}to dn.one="ou=structures,$SUFFIX"
|
||||
by * read
|
||||
# Autorisation de recherche par tous les utilisateurs sur toute la base
|
||||
olcAccess: {7}to * by users search
|
||||
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
|
||||
by set="this/owner & user" manage
|
||||
by * break
|
||||
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
|
||||
by set="this/supannGroupeAdminDN/member* & user" write
|
||||
by set="this/supannGroupeAdminDN & user" write
|
||||
by set="this/supannGroupeLecteurDN/member* & user" read
|
||||
by set="this/supannGroupeLecteurDN & user" read
|
||||
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" read
|
||||
by dnattr=member selfread
|
||||
by * none
|
||||
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
|
||||
by users read
|
||||
by * none
|
||||
# Branche structure, tout le monde peut lire
|
||||
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
|
||||
by * read
|
||||
olcAccess: {10}to *
|
||||
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" +r
|
||||
by users +s
|
||||
|
||||
# Create accesslog DIT
|
||||
add olcDatabase={1}mdb,cn=config
|
||||
|
|
@ -141,7 +151,7 @@ objectClass: olcDatabaseConfig
|
|||
objectClass: olcMdbConfig
|
||||
olcSuffix: cn=accesslog,$SUFFIX
|
||||
olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/
|
||||
olcAccess: {0}to *
|
||||
olcAccess: {0}to *
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by group=cn=admin,ou=groupes,$SUFFIX manage
|
||||
by * break
|
||||
|
|
@ -171,8 +181,8 @@ add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config
|
|||
objectClass: olcOverlayConfig
|
||||
objectClass: olcRefintConfig
|
||||
olcOverlay: {2}refint
|
||||
olcRefintAttribute: member
|
||||
eduPersonOrgDN
|
||||
olcRefintAttribute: member
|
||||
eduPersonOrgDN
|
||||
eduPersonOrgUnitDN
|
||||
owner
|
||||
eduPersonPrimaryOrgUnitDN
|
||||
|
|
@ -186,26 +196,26 @@ objectClass: olcOverlayConfig
|
|||
objectClass: olcConstraintConfig
|
||||
olcOverlay: {3}constraint
|
||||
# un seul cn pour les utilisateurs
|
||||
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)"
|
||||
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)"
|
||||
olcConstraintAttribute: dc regex "^[a-z0-9-]*$"
|
||||
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$"
|
||||
olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$"
|
||||
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$"
|
||||
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)"
|
||||
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)"
|
||||
olcConstraintAttribute: dc regex "^[a-z0-9-]*$"
|
||||
olcConstraintAttribute: eduOrgHomePageURI,eduOrgSuperiorURI,eduOrgWhitePagesURI regex "^https?://.*$"
|
||||
olcConstraintAttribute: eduPersonAffiliation regex "^(student|faculty|staff|employee|member|affiliate|alum|library-walk-in|researcher|retired|emeritus|teacher|registered-reader)$"
|
||||
olcConstraintAttribute: eduPersonPrincipalName regex "^.*@.*$"
|
||||
olcConstraintAttribute: mail count 1
|
||||
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail
|
||||
regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$"
|
||||
# olcConstraintAttribute: mailForwardingAddress
|
||||
olcConstraintAttribute: mail,supannMailPerso,supannAutreMail
|
||||
regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$"
|
||||
# olcConstraintAttribute: mailForwardingAddress
|
||||
regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid
|
||||
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
|
||||
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
|
||||
olcConstraintAttribute: supannCodeEntiteParent,supannEntiteAffectation uri ldap:///ou=structures,$SUFFIX?supannCodeEntite?sub?(objectClass=supannEntite)
|
||||
olcConstraintAttribute: supannCodeINE count 1
|
||||
olcConstraintAttribute: supannEmpId count 1
|
||||
# FIXME: syntex regex pas bonne
|
||||
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$"
|
||||
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$"
|
||||
olcConstraintAttribute: supannCivilite regex "^(M.|Mme|Mlle)$"
|
||||
olcConstraintAttribute: supannTypeEntite,supannEtuCursusAnnee regex "^\{SUPANN\}[A-Z][0-9]+$"
|
||||
# attribut issu d'une nomenclature
|
||||
olcConstraintAttribute: supannEtablissement,
|
||||
supannEtuDiplome,
|
||||
|
|
@ -214,8 +224,8 @@ olcConstraintAttribute: supannEtablissement,
|
|||
supannEtuRegimeInscription,
|
||||
supannEtuSecteurDisciplinaire,
|
||||
supannEtuTypeDiplome,
|
||||
regex "^\{[^}]+\}.*$"
|
||||
olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$"
|
||||
regex "^\{[^}]+\}.*$"
|
||||
olcConstraintAttribute: supannEtuAnneeInscription regex "^[0-9][0-9][0-9][0-9]$"
|
||||
|
||||
add olcOverlay={4}unique,olcDatabase={2}mdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
|
|
|
|||
77
lib/resetacl
77
lib/resetacl
|
|
@ -1,6 +1,15 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
function echoonerror {
|
||||
LOG=`tempfile`
|
||||
if ! "$@" >$LOG 2>&1; then
|
||||
STATUS="$?"
|
||||
cat $LOG
|
||||
return $STATUS
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "x$1" = "x" ]; then
|
||||
echo Suffix de la base à réinitialiser ?
|
||||
echo -ne "> "
|
||||
|
|
@ -12,31 +21,73 @@ fi
|
|||
DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
|
||||
DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
|
||||
|
||||
if [ "x$DN" != "" ]; then
|
||||
if [ "x$DN" != "" ]; then
|
||||
LDIF=`tempfile`
|
||||
cat <<EOF >$LDIF
|
||||
dn: $DN
|
||||
changetype: modify
|
||||
replace: olcAccess
|
||||
olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by group.exact="cn=admin,ou=groups,$SUFFIX" manage by * break
|
||||
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,userPassword,labeledURI by self write by * break
|
||||
olcAccess: {2}to dn.one="ou=groups,$SUFFIX" by set="this/owner & user" manage by * break
|
||||
olcAccess: {3}to dn.one="ou=groups,$SUFFIX" attrs=entry,cn,description,owner,supannRefId by users read by * break
|
||||
olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=member by set="this/supannGroupeAdminDN/member* & user" write by set="this/supannGroupeAdminDN & user" write by set="this/supannGroupeLecteurDN/member* & user" read by set="this/supannGroupeLecteurDN & user" read by dnattr=member search
|
||||
olcAccess: {5}to dn.one="ou=structures,$SUFFIX" by * read
|
||||
olcAccess: {6}to dn.one="ou=people,$SUFFIX" by self read by users read by anonymous auth by * none
|
||||
olcAccess: {7}to * by users search
|
||||
# Accès super-utilisateur
|
||||
olcAccess: {0}to *
|
||||
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by group.exact="cn=admin,ou=groups,$SUFFIX" manage
|
||||
by * break
|
||||
# Structure du DIT: tout le monde peut voir
|
||||
olcAccess: {1}to dn.base="$SUFFIX"
|
||||
by anonymous read
|
||||
by * +rs break
|
||||
olcAccess: {2}to dn.one="$SUFFIX"
|
||||
by anonymous read
|
||||
by * +rs break
|
||||
# Branche people
|
||||
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI
|
||||
by self write
|
||||
by * break
|
||||
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
|
||||
by self read
|
||||
by users read
|
||||
by anonymous auth
|
||||
by * none
|
||||
# Branche groups
|
||||
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
|
||||
by set="this/owner & user" manage
|
||||
by * break
|
||||
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
|
||||
by set="this/supannGroupeAdminDN/member* & user" write
|
||||
by set="this/supannGroupeAdminDN & user" write
|
||||
by set="this/supannGroupeLecteurDN/member* & user" read
|
||||
by set="this/supannGroupeLecteurDN & user" read
|
||||
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" read
|
||||
by dnattr=member selfread
|
||||
by * none
|
||||
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
|
||||
by users read
|
||||
by * none
|
||||
# Branche structure, tout le monde peut lire
|
||||
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
|
||||
by * read
|
||||
olcAccess: {10}to *
|
||||
by group.exact="cn=reader,ou=groups,dc=quelquechose,dc=fr" +r
|
||||
by users +s
|
||||
-
|
||||
replace: olcDbIndex
|
||||
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId eq
|
||||
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
|
||||
|
||||
EOF
|
||||
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
|
||||
if echoonerror ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute=*displayName* >/dev/null; then
|
||||
echo <<EOF >$LDIF
|
||||
dn: $DN2
|
||||
changetype: modify
|
||||
delete: olcConstraintAttribute
|
||||
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
|
||||
EOF
|
||||
ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF 2>/dev/null >/dev/null
|
||||
echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
|
||||
fi
|
||||
rm $LDIF
|
||||
echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
|
||||
else
|
||||
|
|
|
|||
Reference in New Issue