slapd.conf/ACLs for woody's slapd
here is a slapd.conf with ACLs that give jradmin and admins some
special powers. it works with woodys slapd 2.0. i tested both the
wlus debian package and the acls on a skolelinux 1.0
installation.
the wlus debian package from yesterdays UR: was updated in the
meantime to fix minor bugs.
note that you still need the lis.schema out of the tar archive
posted yesterday.
i am not yet totally happy with what admins can do. those ACLs
are just starting to form up.
# The skolelinux slapd configuration file
#
# $Id: slapd-debian-edu.conf,v 1.4 2004/05/21 21:13:52 finnarne-guest Exp $
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/courier.schema
include /etc/ldap/schema/automount.schema
include /etc/ldap/schema/lis.schema
# Include the LDAP-schemas needed by samba.
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Don't include the LDAP-schemas used by eduPerson yet.
#include /etc/ldap/schema/EduPerson.schema
#include /etc/ldap/schema/norEduPerson.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
#loglevel 128
loglevel 0
# keep the db in ram for better performance
sizelimit 2000
cachesize 10000
dbcachesize 10000000
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database ldbm
# The base of your directory
suffix "dc=skole,dc=skolelinux,dc=no"
# Where the database file are physically stored
directory "/var/lib/ldap"
index default pres,eq
index objectclass pres,eq
index uid pres,eq
#index eduPersonPrincipalName pres,eq
index cn,mail,surname,givenname pres,eq,sub
index uidNumber,gidNumber pres,eq
index member pres,eq
index memberUid pres,eq
index userPassword eq
# Indexes used by Samba2
#index lmPassword eq
#index ntPassword eq
# Indexes used by Samba3
index sambaSID eq
index sambaNTPassword eq
index sambaLMPassword eq
# Indices special for WLUS
index groupType eq
# Save the time that the entry gets modified
lastmod on
# Default access for passwords
# PS: You have to use an encrypted channel(with either SSL or TLS) to
# access userPassword: 'ssf=128'.
# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#
access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" attrs=userPassword
by self ssf=128 =wx
by * auth
access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write
by * read
access to attrs=userPassword
by self ssf=128 =wx
by anonymous ssf=128 auth
by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
by * none break
access to filter=(writeableBy=admins) attrs=userPassword
by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
by * none break
access to filter=(writeableBy=jradmins) attrs=userPassword
by group.base="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
by * none
#
# Ensure samba password hashes.
#
# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
by self ssf=128 write
by anonymous ssf=128 auth
by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * none
# Access to samba attributs
access to attribute=objectClass,cn,uid,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags
by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * read
# We store machine-accounts for samba in a private ou
access to dn="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
by * read
# Defaultaccess
access to *
by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" write
by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write
by * read
# End of ldapd configuration file
TLSCipherSuite HIGH:MEDIUM:SSLv2
TLSCertificateFile /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
TLSCACertificateFile /etc/ldap/ssl/slapd.pem
Reply to: