|
8 |
nestedGroups = configRegistry.is_true('ldap/acl/nestedgroups', True) |
8 |
nestedGroups = configRegistry.is_true('ldap/acl/nestedgroups', True) |
9 |
|
9 |
|
10 |
if configRegistry.is_true('ldap/acl/slavepdc', True): |
10 |
if configRegistry.is_true('ldap/acl/slavepdc', True): |
11 |
print 'access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,%s$$" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))"' % ldap_base |
11 |
print 'access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,%s$" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))"' % ldap_base |
12 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
12 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
13 |
if nestedGroups: |
13 |
if nestedGroups: |
14 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
14 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
|
17 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
17 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
18 |
print ' by * read break' |
18 |
print ' by * read break' |
19 |
|
19 |
|
20 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$$" attrs=children,entry' % ldap_base |
20 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base |
21 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
21 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
22 |
if nestedGroups: |
22 |
if nestedGroups: |
23 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
23 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
|
26 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
26 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
27 |
print ' by * read break' |
27 |
print ' by * read break' |
28 |
|
28 |
|
29 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$$" attrs=univentionLastUsedValue' % ldap_base |
29 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base |
30 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
30 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
31 |
if nestedGroups: |
31 |
if nestedGroups: |
32 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
32 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
|
62 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
62 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
63 |
print ' by * read break' |
63 |
print ' by * read break' |
64 |
|
64 |
|
65 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
65 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
66 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
66 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
67 |
if nestedGroups: |
67 |
if nestedGroups: |
68 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
68 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
|
72 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
72 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
73 |
print ' by * none' |
73 |
print ' by * none' |
74 |
|
74 |
|
75 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
75 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
76 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
76 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
77 |
if nestedGroups: |
77 |
if nestedGroups: |
78 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
78 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
|
82 |
print ' by self %s' % ( usr ) |
82 |
print ' by self %s' % ( usr ) |
83 |
print ' by * none' |
83 |
print ' by * none' |
84 |
|
84 |
|
85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$$" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags' % ( ldap_base ) |
85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags' % ( ldap_base ) |
86 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
86 |
print ' by dn.base="cn=admin,%s" %s' % ( ldap_base, usr ) |
87 |
if nestedGroups: |
87 |
if nestedGroups: |
88 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |
88 |
print ' by set="user & [cn=Domain Admins,cn=groups,%s]/uniqueMember*" %s' % ( ldap_base, usr ) |