[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

slapd.conf/ACLs for woody's slapd



here is a slapd.conf with ACLs that give jradmin and admins some
special powers. it works with woodys slapd 2.0. i tested both the
wlus debian package and the acls on a skolelinux 1.0
installation. 

the wlus debian package from yesterdays UR: was updated in the
meantime to fix minor bugs.

note that you still need the lis.schema out of the tar archive
posted yesterday.

i am not yet totally happy with what admins can do. those ACLs
are just starting to form up.

# The skolelinux slapd configuration file
#
# $Id: slapd-debian-edu.conf,v 1.4 2004/05/21 21:13:52 finnarne-guest Exp $

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/courier.schema
include         /etc/ldap/schema/automount.schema
include		/etc/ldap/schema/lis.schema
# Include the LDAP-schemas needed by samba.
include		/etc/ldap/schema/inetorgperson.schema
include		/etc/ldap/schema/samba.schema
# Don't include the LDAP-schemas used by eduPerson yet.
#include		/etc/ldap/schema/EduPerson.schema
#include		/etc/ldap/schema/norEduPerson.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck	on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile		/var/run/slapd.pid

# List of arguments that were passed to the server
argsfile	/var/run/slapd.args

# Read slapd.conf(5) for possible values
#loglevel	128
loglevel 	0

# keep the db in ram for better performance
sizelimit 2000

cachesize 10000
dbcachesize 10000000
#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database	ldbm

# The base of your directory
suffix		"dc=skole,dc=skolelinux,dc=no"

# Where the database file are physically stored
directory	"/var/lib/ldap"

index default pres,eq
index objectclass		pres,eq
index uid			pres,eq
#index eduPersonPrincipalName	pres,eq
index cn,mail,surname,givenname	pres,eq,sub
index uidNumber,gidNumber	pres,eq
index member			pres,eq
index memberUid			pres,eq
index userPassword		eq
# Indexes used by Samba2
#index lmPassword		eq
#index ntPassword		eq
# Indexes used by Samba3
index sambaSID			eq
index sambaNTPassword		eq
index sambaLMPassword		eq
# Indices special for WLUS
index groupType			eq


# Save the time that the entry gets modified
lastmod on

# Default access for passwords
# PS: You have to use an encrypted channel(with either SSL or TLS) to 
#     access userPassword: 'ssf=128'.
# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#

access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" attrs=userPassword 
	by self ssf=128 =wx 
	by * auth

access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" 
	by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write 
	by * read

access to attrs=userPassword 
	by self ssf=128 =wx
	by anonymous ssf=128 auth 
	by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
	by * none break
access to filter=(writeableBy=admins) attrs=userPassword
	by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
	by * none break
access to filter=(writeableBy=jradmins) attrs=userPassword
	by group.base="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
	by * none

#
# Ensure samba password hashes.
#

# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
 	by self ssf=128 write
	by anonymous ssf=128 auth
 	by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
 	by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
 	by * none

# Access to samba attributs
access to attribute=objectClass,cn,uid,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags
 	by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
 	by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
	by * read

# We store machine-accounts for samba in a private ou
access to dn="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
    by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
    by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
    by * read
	
# Defaultaccess
access to * 
	by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" write
	by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write 
	by * read

# End of ldapd configuration file

TLSCipherSuite		HIGH:MEDIUM:SSLv2
TLSCertificateFile      /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
TLSCACertificateFile    /etc/ldap/ssl/slapd.pem



Reply to: