Attachment #9794 for bug #39345

(-)a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database (-4 / +15 lines)

Lines 2-7	Link Here

modulepath	/usr/lib/ldap

modulepath	/usr/lib/ldap

moduleload	back_@%@ldap/database/type@%@.so

moduleload	back_@%@ldap/database/type@%@.so

@!@

@!@

import ldap

def print_checked_base(confpart):

	if not ldap.dn.is_dn(configRegistry['ldap/base']):

		import sys

		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'

		print >>sys.stderr, errmsg

		print errmsg

		print '#', # quote the following template line

	print confpart

if configRegistry.get('ldap/translogfile'):

if configRegistry.get('ldap/translogfile'):

	print "moduleload\ttranslog.so"

	print "moduleload\ttranslog.so"

if configRegistry.is_true('ldap/k5pwd', True):

if configRegistry.is_true('ldap/k5pwd', True):

Lines 16-22 print 'moduleload\tconstraint.so'	Link Here

print '\n'

print '\n'

print 'database\t%(ldap/database/type)s' % configRegistry

print 'database\t%(ldap/database/type)s' % configRegistry

print 'suffix\t\t"%(ldap/base)s"' % configRegistry

print_checked_base('suffix\t\t"%(ldap/base)s"' % configRegistry)

print ''

print ''

if configRegistry.get('ldap/translogfile'):

if configRegistry.get('ldap/translogfile'):

Lines 114-124 for key in configRegistry.get('ldap/limits', '').split(';'):	Link Here

114

125

115

print

126

print

116

if configRegistry['ldap/server/type'] == "master":

127

if configRegistry['ldap/server/type'] == "master":

117

	print 'rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry

128

	print_checked_base('rootdn\t\t"cn=admin,%(ldap/base)s"' % configRegistry)

118

elif configRegistry['ldap/server/type'] == "slave":

129

elif configRegistry['ldap/server/type'] == "slave":

119

	print 'rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base']

130

	print_checked_base('rootdn\t\t"cn=update,%s"'%configRegistry['ldap/base'])

120

	print 'include\t\t/etc/ldap/rootpw.conf'

131

	print 'include\t\t/etc/ldap/rootpw.conf'

121

	print 'updatedn\t"cn=update,%s"'%configRegistry["ldap/base"]

132

	print_checked_base('updatedn\t"cn=update,%s"'%configRegistry["ldap/base"])

122

	if configRegistry.is_true("ldap/online/master", True):

133

	if configRegistry.is_true("ldap/online/master", True):

123

		print 'updateref\tldap://%s:%s'% (configRegistry["ldap/master"], configRegistry.get("ldap/master/port", 7389))

134

		print 'updateref\tldap://%s:%s'% (configRegistry["ldap/master"], configRegistry.get("ldap/master/port", 7389))

124

@!@

135

@!@

(-)a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master (-15 / +25 lines)

Lines 1-5	Link Here

@!@

@!@

from univention.lib.misc import custom_username, custom_groupname

from univention.lib.misc import custom_username, custom_groupname

import ldap

def print_checked_base(confpart):

	if not ldap.dn.is_dn(configRegistry['ldap/base']):

		import sys

		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'

		print >>sys.stderr, errmsg

		print errmsg

		print '#', # quote the following template line

	print confpart

ldap_base = configRegistry['ldap/base']

ldap_base = configRegistry['ldap/base']

ldap_port = configRegistry['slapd/port']

ldap_port = configRegistry['slapd/port']

Lines 10-16 users_default_administrator = custom_username('Administrator')	Link Here

print 'authz-regexp'

print 'authz-regexp'

print '    uid=([^,]*),cn=(gssapi|saml),cn=auth'

print '    uid=([^,]*),cn=(gssapi|saml),cn=auth'

print '    ldap:///%s??sub?uid=$1' % (ldap_base,)

print_checked_base('    ldap:///%s??sub?uid=$1' % (ldap_base,))

print

print

print 'access to attrs=uid value=root by * none stop'

print 'access to attrs=uid value=root by * none stop'

Lines 20-26 print ' by anonymous auth'	Link Here

print '    by * none break'

print '    by * none break'

print ''

print ''

print 'access to dn="cn=admin,%s"' % (ldap_base)

print_checked_base('access to dn="cn=admin,%s"' % (ldap_base))

print '    by self %s' % (usr)

print '    by self %s' % (usr)

print '    by * none'

print '    by * none'

print ''

print ''

Lines 28-66 print ''	Link Here

print 'access to *'

print 'access to *'

print '    by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr)

print '    by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr)

if configRegistry['ldap/server/type'] == "slave":

if configRegistry['ldap/server/type'] == "slave":

	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)

	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))

print '    by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr)

print_checked_base('    by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr))

print '    by * none break'

print '    by * none break'

print ''

print ''

print 'access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base)

print_checked_base('access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base))

print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)

print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))

if configRegistry['ldap/server/type'] == "slave":

if configRegistry['ldap/server/type'] == "slave":

	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)

	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))

print '    by self %s' % (usr)

print '    by self %s' % (usr)

print '    by * +0 break'

print '    by * +0 break'

print ''

print ''

print 'access to dn="uid=join-backup,cn=users,%s"' % (ldap_base)

print_checked_base('access to dn="uid=join-backup,cn=users,%s"' % (ldap_base))

print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)

print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))

if configRegistry['ldap/server/type'] == "slave":

if configRegistry['ldap/server/type'] == "slave":

	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)

	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))

print '    by self %s' % (usr)

print '    by self %s' % (usr)

print '    by * +0 break'

print '    by * +0 break'

print ''

print ''

print 'access to dn="uid=join-slave,cn=users,%s"' % (ldap_base)

print_checked_base('access to dn="uid=join-slave,cn=users,%s"' % (ldap_base))

print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)

print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))

if configRegistry['ldap/server/type'] == "slave":

if configRegistry['ldap/server/type'] == "slave":

	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)

	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))

print '    by self %s' % (usr)

print '    by self %s' % (usr)

print '    by * +0 break'

print '    by * +0 break'

print ''

print ''

print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid'

print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid'

print '    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)

print_checked_base('    by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr))

if configRegistry['ldap/server/type'] == "slave":

if configRegistry['ldap/server/type'] == "slave":

	print '    by dn.base="cn=admin,%s" %s' % (ldap_base, usr)

	print_checked_base('    by dn.base="cn=admin,%s" %s' % (ldap_base, usr))

print '    by * +0 break'

print '    by * +0 break'

print ''

print ''




@!@
import ldap

def print_checked_base(confpart):
	if not ldap.dn.is_dn(configRegistry['ldap/base']):
		import sys
		errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!'
		print >>sys.stderr, errmsg
		print errmsg
		print '#', # quote the following template line
	print confpart

print_checked_base(
'''
access to dn="cn=portal,cn=univention,%(base)s" attrs=children
	by dn.onelevel="cn=dc,cn=computers,%(base)s" write
	by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write
	by * +0 break

access to dn.children="cn=portal,cn=univention,%(base)s" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal
	by dn.onelevel="cn=dc,cn=computers,%(base)s" write
	by dn.onelevel="cn=memberserver,cn=computers,%(base)s" write
	by * +0 break
''' % {'base': configRegistry['ldap/base']}
@!@

Return to bug 39345