|
Lines 19-25
Link Here
|
| 19 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
19 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 20 |
else: |
20 |
else: |
| 21 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
21 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 22 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
22 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 23 |
print ' by * read break' |
23 |
print ' by * read break' |
| 24 |
|
24 |
|
| 25 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base |
25 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base |
|
Lines 28-34
Link Here
|
| 28 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
28 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 29 |
else: |
29 |
else: |
| 30 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
30 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 31 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
31 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 32 |
print ' by * read break' |
32 |
print ' by * read break' |
| 33 |
|
33 |
|
| 34 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base |
34 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base |
|
Lines 37-48
Link Here
|
| 37 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
37 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 38 |
else: |
38 |
else: |
| 39 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
39 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 40 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
40 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 41 |
print ' by * read break' |
41 |
print ' by * read break' |
| 42 |
|
42 |
|
| 43 |
print '## to prevent uidNumber=0 modifications' |
43 |
print '## to prevent uidNumber=0 modifications' |
| 44 |
print 'access to attrs=uidNumber value=0' |
44 |
print 'access to attrs=uidNumber value=0' |
| 45 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
45 |
print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
| 46 |
print ' by * read break' |
46 |
print ' by * read break' |
| 47 |
|
47 |
|
| 48 |
print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base ) |
48 |
print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base ) |
|
Lines 51-57
Link Here
|
| 51 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
51 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 52 |
else: |
52 |
else: |
| 53 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
53 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 54 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
54 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 55 |
print ' by * read break' |
55 |
print ' by * read break' |
| 56 |
|
56 |
|
| 57 |
print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts) |
57 |
print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts) |
|
Lines 60-66
Link Here
|
| 60 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
60 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 61 |
else: |
61 |
else: |
| 62 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
62 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 63 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
63 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 64 |
print ' by * read break' |
64 |
print ' by * read break' |
| 65 |
|
65 |
|
| 66 |
print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base ) |
66 |
print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base ) |
|
Lines 69-75
Link Here
|
| 69 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
69 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 70 |
else: |
70 |
else: |
| 71 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
71 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 72 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
72 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 73 |
print ' by * read break' |
73 |
print ' by * read break' |
| 74 |
|
74 |
|
| 75 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
75 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
|
Lines 79-85
Link Here
|
| 79 |
else: |
79 |
else: |
| 80 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
80 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 81 |
print ' by self %s' % ( usr ) |
81 |
print ' by self %s' % ( usr ) |
| 82 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
82 |
print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
| 83 |
print ' by * none' |
83 |
print ' by * none' |
| 84 |
|
84 |
|
| 85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
|
Lines 88-94
Link Here
|
| 88 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
88 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 89 |
else: |
89 |
else: |
| 90 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
90 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 91 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
91 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 92 |
print ' by self %s' % ( usr ) |
92 |
print ' by self %s' % ( usr ) |
| 93 |
print ' by * none' |
93 |
print ' by * none' |
| 94 |
|
94 |
|
|
Lines 98-104
Link Here
|
| 98 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
98 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 99 |
else: |
99 |
else: |
| 100 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
100 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 101 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
101 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 102 |
print ' by * read break' |
102 |
print ' by * read break' |
| 103 |
|
103 |
|
| 104 |
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword' |
104 |
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword' |
|
Lines 107-114
Link Here
|
| 107 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
107 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 108 |
else: |
108 |
else: |
| 109 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
109 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 110 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
110 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 111 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
111 |
print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
| 112 |
print ' by * none' |
112 |
print ' by * none' |
| 113 |
|
113 |
|
| 114 |
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange' |
114 |
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange' |
|
Lines 117-124
Link Here
|
| 117 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
117 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 118 |
else: |
118 |
else: |
| 119 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
119 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 120 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
120 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 121 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
121 |
print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
| 122 |
print ' by * read break' |
122 |
print ' by * read break' |
| 123 |
|
123 |
|
| 124 |
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base ) |
124 |
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base ) |
|
Lines 127-134
Link Here
|
| 127 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
127 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 128 |
else: |
128 |
else: |
| 129 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
129 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 130 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
130 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 131 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
131 |
print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
| 132 |
print ' by * none' |
132 |
print ' by * none' |
| 133 |
|
133 |
|
| 134 |
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base ) |
134 |
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base ) |
|
Lines 137-144
Link Here
|
| 137 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
137 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 138 |
else: |
138 |
else: |
| 139 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
139 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
| 140 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
140 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
| 141 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
141 |
print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
| 142 |
print ' by * none' |
142 |
print ' by * none' |
| 143 |
|
143 |
|
| 144 |
print 'access to *' |
144 |
print 'access to *' |