new WLUS: 1.4-5

To: debian-edu@lists.debian.org
Subject: new WLUS: 1.4-5
From: Andreas Schuldei <andreas@schuldei.org>
Date: Fri, 3 Jun 2005 11:56:13 +0200
Message-id: <[🔎] 20050603095613.GH20741@timotheus.schuldei.org>

The good news is that this is the WLUS with the ACL support for
jradmins. the bad news is that it requires a LDAP schema change
and that it has to depend on a debian-edu-config which is not
uploaded to debian (or our own repository) yet, making it
uninstallable.

The ACLs also require changes in the slapd.conf. These ACLs will
work both with woody and sarge's slapd. just replace the existing
ones.

================= snip ========================

# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#

access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by * none break
access to *
        by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by * none break
access to attrs=userPassword
        by self      ssf=128 =wx
        by anonymous ssf=128 auth
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by * none break
access to filter=(writeableBy=jradmins) attrs=userPassword
        by group.exact="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by * none

#
# Ensure samba password hashes.
#

# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
        by self ssf=128 write
        by anonymous ssf=128 auth
        by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"    ssf=128 write
        by * none

# Access to samba attributs
access to attrs=objectClass,cn,uid,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags,sambaGroupType,sambaPasswordHistory
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
        by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
        by * read

# We store machine-accounts for samba in a private ou
access to  dn.base="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"     ssf=128 write
        by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"  ssf=128 write
        by * read


# Defaultaccess
access to *
        by
        dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
        by * read

================= snap ========================

Reply to:

Follow-Ups:
- Re: new WLUS: 1.4-5
  - From: andreas@schuldei.org (Andreas Schuldei)

Prev by Date: Re: A Server for Education - "WIMS" (fwd)
Next by Date: Re: new WLUS: 1.4-5
Previous by thread: [Bug 278] Missing flash browser plugin (netscape API type)
Next by thread: Re: new WLUS: 1.4-5
Index(es):
- Date
- Thread