Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37048505
en ru br
Репозитории ALT
S:2.6.4-alt1
5.1: 2.3.43-alt2.3
4.1: 2.3.41-alt3.M41.3
4.0: 2.3.35-alt1.M40.1
3.0: 2.2.27-alt1.1
www.altlinux.org/Changes

Группа :: Система/Серверы
Пакет: openldap

 Главная   Изменения   Спек   Патчи   Исходники   Загрузить   Gear   Bugs and FR  Repocop 

# This is a good place to put slapd access-control directives

# The root DIT should be accessible to all clients
access to dn.exact=""
by * read

# Allow read access to schemas
access to dn.subtree="cn=Subschema"
by * read

# Generic ACLs
# These ACLs should work well for any domain-based (ie dc=,dc=) suffix,
# but need adjustment and testing for any other suffix
# Note that these ACLs allow anonymouse read access to most non-password
# attributes, you may want to prevent leakage of this information by
# removing the "by anonymous read" lines

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory
by self write
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by anonymous auth
by * none

# ACL allowing samba domain controllers to add user accounts
access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read

# allow users to modify their own "address book" entries:
access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=inetOrgPerson,mail
by self write
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read

# Allow samba domain controllers to create groups and group mappings
access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixGroup,sambaGroupMapping
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read

# Allow samba domain controllers to create machine accounts
access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read

# Allow samba to create idmap entries
access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,sambaIdmapEntry
by dn.exact,expand="uid=root,ou=People,$2" write
by group.expand="cn=Domain Controllers,ou=Group,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read

# Allow users in the domain to add entries to the "global address book":
access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
by dn.sub,expand="ou=People,$2" write
by group.expand="cn=Replicator,ou=Group,$2" write
by users read
by anonymous read
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin