# Warning: This file is auto-generated and might be overwritten by # univention-baseconfig. # Please edit the files in the following directory instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch # univention-baseconfig überschrieben werden. # Bitte bearbeiten Sie an Stelle dessen die Dateien in # folgendem Verzeichnis: # # /etc/univention/templates/files/etc/ldap/slapd.conf.d/ # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /usr/share/univention-ldap/schema/samba.schema include /usr/share/univention-ldap/schema/mail.schema include /usr/share/univention-ldap/schema/user.schema include /usr/share/univention-ldap/schema/directory.schema include /usr/share/univention-ldap/schema/policy.schema include /usr/share/univention-ldap/schema/univention.schema include /usr/share/univention-ldap/schema/lock.schema include /usr/share/univention-ldap/schema/custom-attribute.schema include /usr/share/univention-ldap/schema/krb5-kdc.schema include /usr/share/univention-ldap/schema/dhcp.schema include /usr/share/univention-ldap/schema/univention-dhcp.schema include /usr/share/univention-ldap/schema/dnszone.schema include /usr/share/univention-ldap/schema/univention-default.schema include /usr/share/univention-ldap/schema/license.schema include /usr/share/univention-ldap/schema/share.schema include /usr/share/univention-ldap/schema/printer.schema include /usr/share/univention-ldap/schema/automount.schema include /usr/share/univention-ldap/schema/network.schema include /usr/share/univention-ldap/schema/solaris.schema include /usr/share/univention-ldap/schema/courier.schema include /usr/share/univention-ldap/schema/rfc2739.schema include /usr/share/univention-ldap/schema/kolab2.schema include /usr/share/univention-ldap/schema/univention-kolab2.schema include /usr/share/univention-ldap/schema/scalix.schema include /usr/share/univention-ldap/schema/univention-scalix.schema include /usr/share/univention-ldap/schema/univention-syntax.schema include /usr/share/univention-ldap/schema/admin-settings.schema include /usr/share/univention-ldap/schema/template.schema include /usr/share/univention-ldap/schema/univention-ldap-acl.schema include /usr/share/univention-ldap/schema/nagios.schema include /usr/share/univention-ldap/schema/univention-directory.schema include /usr/share/univention-ldap/schema/umc-helpdesk.schema include /usr/share/univention-ldap/schema/univention-ict-basel.schema include /usr/share/univention-ldap/schema/ucs-school-import.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args #loglevel 128 256 loglevel 0 allow bind_v2 update_anon TLSCertificateFile /etc/univention/ssl/ucs-mas-01.intra.edubs.ch/cert.pem TLSCertificateKeyFile /etc/univention/ssl/ucs-mas-01.intra.edubs.ch/private.key TLSCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem sizelimit 400000 idletimeout 0 attributeoptions "entry-" # database definition modulepath /usr/lib/ldap moduleload back_bdb.so moduleload translog.so database bdb suffix "dc=kunde,dc=de" overlay translog translog /var/lib/univention-ldap/listener/listener cachesize 20000 idlcachesize 20000 threads 16 checkpoint 1024 30 index uid,cn,sn,givenName,mail pres,eq,sub,approx index description,displayName,mailPrimaryAddress,mailAlternativeAddress pres,eq,sub index objectClass,uidNumber,gidNumber,memberUid,ou,uniqueMember,macAddress,dhcpHWAddress,krb5PrincipalName,aRecord,kolabHomeServer,univentionPolicyReference,homeDirectory pres,eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName,relativeDomainName,pTRRecord,zoneName,univentionServerRole,univentionService,automountInformation,sambaAcctFlags eq index default sub index alias approx limits users time.soft=-1 time.hard=-1 directory "/var/lib/univention-ldap/ldap" lastmod on # Slave-Controller und Member-Server: Update von sambaNextRid bei Join-Vorgang (covers new and old ldap style) access to filter="(objectClass=sambaDomain)" attrs=sambaNextRid by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by * none break # Slave-Controller und Memberserver duerfen ausschließlich den univention-Container replizieren access to dn="cn=univention,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren access to dn.subtree="cn=custom attributes,cn=univention,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Slave-Controller benoetigen den Console-Container für die Berechtigungen an der Lehrerconsole access to dn.subtree="cn=console,cn=univention,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Slave-Controller und Member-Server benoetigen idmap-Container access to dn.base="cn=idmap,cn=univention,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by * none break # Slave-Controller und Member-Server benoetigen ID-Mapping access to dn.subtree="cn=idmap,cn=univention,dc=kunde,dc=de" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by * none break # Slave-Controller duerfen samba-Container und dessen Inhalt replizieren access to dn.subtree="cn=samba,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # sonst dürfen sie nichts aus cn=univention,BASEDN replizieren access to dn.subtree="cn=univention,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by * none break sasl-regexp uid=(.*),cn=gssapi,cn=auth ldap:///"dc=kunde,dc=de"??sub?uid=$1 access to attrs=userPassword by anonymous auth by * none break access to dn="cn=admin,dc=kunde,dc=de" by self write by * none access to * by sockname="PATH=/var/run/slapd/ldapi" write by * none break access to dn="uid=Administrator,cn=users,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.base="cn=admin,dc=kunde,dc=de" write by self write by * read break access to dn="uid=join-backup,cn=users,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.base="cn=admin,dc=kunde,dc=de" write by self write by * read break access to dn="uid=join-slave,cn=users,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.base="cn=admin,dc=kunde,dc=de" write by self write by * read break access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid by group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.base="cn=admin,dc=kunde,dc=de" write by * read break access to attrs="krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange" by self write by * none break ### vom Partner an diese stelle verschoben access to attrs="univentionKolabForwardActive,kolabForwardAddress,kolabForwardKeepCopy,kolabForwardUCE,univentionKolabDeliveryToFolderActive,univentionKolabDeliveryToFolderName,kolabDelegate,univentionKolabVacationActive,univentionKolabVacationText,kolabVacationResendInterval,kolabVacationReplyToUCE,kolabVacationAddress,kolabVacationReactDomain,univentionKolabVacationNoReactDomain,kolabInvitationPolicy" by self write by * none break ### vom Partner an diese stelle verschoben access to dn="cn=admin-settings,cn=univention,dc=kunde,dc=de" attrs="entry,children" by users write by * none break access to dn.regex="uid=([^,]+),cn=admin-settings,cn=univention,dc=kunde,dc=de" by dn.regex="uid=$1,.*dc=kunde,dc=de" write by dn.base="cn=admin,dc=kunde,dc=de" write by * none access to dn="cn=Subschema" by * read access to dn.regex="^dc=kunde,dc=de$$" by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=([^,]+),dc=kunde,dc=de$$" read by * none break # Slave-Controller duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Lehrer und ouadmins duerfen Schueler-Passwoerter aendern access to dn.regex="^uid=([^,]+),cn=schueler,cn=users,ou=([^,]+),dc=kunde,dc=de$$" attrs=krb5KeyVersionNumber,krb5KDCFlags,krb5Key,krb5PasswordEnd,sambaAcctFlags,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,shadowLastChange,shadowMax,userPassword,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaBadPasswordCount by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=$2,dc=kunde,dc=de$$" write by * none break # Lehrer duerfen Schueler-Gruppen bearbeiten access to dn.regex="^cn=([^,]+),cn=schueler,cn=groups,ou=([^,]+),dc=kunde,dc=de$$" attrs=uniqueMember,memberUid by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=$2,dc=kunde,dc=de$$" write by * none break # Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),dc=kunde,dc=de$$" attrs=children,entry by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=$1,dc=kunde,dc=de$$" write by * none break access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),dc=kunde,dc=de$$" by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=$2,dc=kunde,dc=de$$" write by * none break # Lehrer duerfen Druck-Quotas bearbeiten # ToDo # Lehrer duerfen Platten-Quotas bearbeiten # ToDo # Rechner duerfen ihr passwort aendern access to dn.regex="cn=.*,cn=server,cn=computers,ou=([^,]+),dc=kunde,dc=de$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by self write by * none break access to dn.regex="cn=.*,cn=dc,cn=server,cn=computers,ou=([^,]+),dc=kunde,dc=de$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by self write by * none break # Mitglieder der lokalen Administratoren duerfen Passwoerter unter users aendern access to dn.regex="^uid=(.+),cn=users,ou=([^,]+),dc=kunde,dc=de$$" attrs=krb5KeyVersionNumber,krb5KDCFlags,krb5Key,krb5PasswordEnd,sambaAcctFlags,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,shadowLastChange,shadowMax,userPassword,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaBadPasswordCount by group/univentionGroup/uniqueMember.expand="cn=admins-$2,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break # Mitglieder der lokalen Administratoren duerfen Gruppen anlegen, Klassengruppen aber nicht aendern access to dn.regex="^(cn=lehrer,|cn=schueler,|)cn=groups,ou=([^,]+),dc=kunde,dc=de$$" attrs=children,entry by group/univentionGroup/uniqueMember.expand="cn=admins-$2,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break access to dn.regex="^cn=([^,]+),(cn=lehrer,|cn=schueler,|)cn=groups,ou=([^,]+),dc=kunde,dc=de$$" filter="objectClass=univentionGroup" by group/univentionGroup/uniqueMember.expand="cn=admins-$3,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break # Mitglieder der lokalen Administratoren duerfen Shares anlegen, Klassenshares aber nicht aendern access to dn.regex="^cn=shares,ou=([^,]+),dc=kunde,dc=de$$" attrs=children,entry by group/univentionGroup/uniqueMember.expand="cn=admins-$1,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break access to dn.regex="^cn=([^,]+),cn=shares,ou=([^,]+),dc=kunde,dc=de$$" filter="objectClass=univentionShare" by group/univentionGroup/uniqueMember.expand="cn=admins-$2,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break # Mitglieder der lokalen Administratoren muessen einige temporaere Objekte schreiben duerfen # da keine regulaeren Ausdruecke auf Gruppenmitgliedschaften moeglich sind wird dies allen Lehrern erlaubt access to dn.regex="^cn=([^,]+),cn=(groupName|sid|gid|gidNumber|mac),cn=temporary,cn=univention,dc=kunde,dc=de$$" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))" by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=([^,]+),dc=kunde,dc=de$$" write by * none break access to dn.regex="^cn=(groupName|sid|gid|gidNumber|mac),cn=temporary,cn=univention,dc=kunde,dc=de$$" attrs=children,entry by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=([^,]+),dc=kunde,dc=de$$" write by * none break access to dn.base="cn=gidNumber,cn=temporary,cn=univention,dc=kunde,dc=de" attrs=univentionLastUsedValue by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=([^,]+),dc=kunde,dc=de$$" write by * none break # Mitglieder der lokalen Administratoren duerfen MAC's im Rechner- und DHCP-Objekt aendern access to dn.regex="^cn=([^,]+),cn=computers,ou=([^,]+),dc=kunde,dc=de$$" attrs=macAddress,sambaNTPassword by group/univentionGroup/uniqueMember.expand="cn=admins-$2,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break access to dn.regex="(^cn=([^,]+),|^)cn=([^,]+),cn=dhcp,ou=([^,]+),dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember.expand="cn=admins-$3,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break # Mitglieder der lokalen Administratoren duerfen den DC-Slave und Memberserver joinen (benoetigt Passwortaenderung) access to dn.regex="(^cn=dc[^,]+,cn=dc|cn=mb[^,]+),cn=server,cn=computers,ou=([^,]+),dc=kunde,dc=de$$" attrs=krb5KeyVersionNumber,krb5KDCFlags,krb5Key,krb5PasswordEnd,sambaAcctFlags,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,shadowLastChange,shadowMax,userPassword,pwhistory,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory by group/univentionGroup/uniqueMember.expand="cn=admins-$2,cn=ouadmins,cn=groups,dc=kunde,dc=de" write by * none break access to dn.regex="^zoneName=[^,]+,cn=dns,dc=kunde,dc=de$$" attrs=sOARecord by dn.regex="^uid=([^,]+),cn=admins,cn=users,ou=([^,]+),dc=kunde,dc=de$$" write by * none break # Slave-Controller und Memberserver aus der Verwaltungsnetz-Gruppe duerfen Inhalt des Schüler-Containers nicht replizieren access to dn.regex="^.+,cn=schueler,cn=users,ou=[^,]+,dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by * none break # Slave-Controller und Memberserver aus der Verwaltungsnetz-Gruppe duerfen nur Mitarbeiter mit passender UCS@School-Rollle replizieren access to dn.regex="^.+,cn=mitarbeiter,cn=users,ou=[^,]+,dc=kunde,dc=de$$" filter="(!(ucsschoolRole=staff))" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by * none break # Memberserver duerfen bestimmte Attribute lesen access to dn.regex="^(.+,)?ou=([^,]+),dc=kunde,dc=de$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Master und Backup-Systeme duerfen die Einträge aller OUs lesen und schreiben access to dn.regex="^(.+,)?ou=([^,]+),dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember.expand="cn=DC Backup Hosts,cn=groups,dc=kunde,dc=de" write by * none break # Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.) # Lehrer duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts access to dn.regex="^(.+,)?ou=([^,]+),dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=$2,dc=kunde,dc=de$$" read by dn.regex="^uid=(.+,)?cn=users,ou=$2,dc=kunde,dc=de$$" none break by dn.regex="^uid=(.+,)?ou=([^,]+),dc=kunde,dc=de$$" none by * none break # Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) access to dn.regex="^cn=klassen,cn=schueler,cn=groups,ou=([^,]+),dc=kunde,dc=de$$" attrs=children,entry by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by * none break access to dn.regex="^cn=([^,]+),cn=klassen,cn=schueler,cn=groups,ou=([^,]+),dc=kunde,dc=de$$" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" write by * none break # Slave-Controller duerfen nagios-Container und Inhalt replizieren access to dn.subtree="cn=nagios,dc=kunde,dc=de" by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" read by * none break # Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen # (werden bei Schuelern/Rechnern angezeigt) access to dn.regex="(^(.+,)?cn=(univention|policies|dns|groups),|^)dc=kunde,dc=de$$" by dn.regex="^uid=([^,]+),cn=(lehrer|mitarbeiter|admins),cn=users,ou=([^,]+),dc=kunde,dc=de$$" read by * none break # Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht access to * by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=kunde,dc=de" none by * none break ## vom Partner deaktiviert und nach oben verschoben!! #access to attrs="univentionKolabForwardActive,kolabForwardAddress,kolabForwardKeepCopy,kolabForwardUCE,univentionKolabDeliveryToFolderActive,univentionKolabDeliveryToFolderName,kolabDelegate,univentionKolabVacationActive,univentionKolabVacationText,kolabVacationResendInterval,kolabVacationReplyToUCE,kolabVacationAddress,kolabVacationReactDomain,univentionKolabVacationNoReactDomain,kolabInvitationPolicy" # by self write # by * none break ## vom Partner deaktiviert und nach oben verschoben!! access to dn.regex="^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=de" filter="(&(objectClass=lock)(!(objectClass=posixAccount)))" by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=de" attrs=children,entry by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=de" attrs=univentionLastUsedValue by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex="cn=computers,dc=kunde,dc=de" attrs=children,entry by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex=".*,dc=kunde,dc=de" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=Windows Hosts)))" by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex=".*,dc=kunde,dc=de" filter="(objectClass=sambaDomain)" by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to dn.regex="cn=.*,cn=dc,cn=computers,dc=kunde,dc=de" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by self write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" read by * none access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=kunde,dc=de" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by self write by * none access to dn.regex="cn=.*,cn=memberserver,cn=computers,dc=kunde,dc=de" attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaAcctFlags by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read break access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=kunde,dc=de" read by * none access to dn.base="cn=idmap,cn=univention,dc=kunde,dc=de" by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=kunde,dc=de" write by * none access to dn.regex=".*,cn=idmap,cn=univention,dc=kunde,dc=de" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=dc,cn=computers,dc=kunde,dc=de" write by dn.regex="[^,]+,cn=memberserver,cn=computers,dc=kunde,dc=de" write by * none access to * by dn.base="cn=admin,dc=kunde,dc=de" write by set="user & [cn=Domain Admins,cn=groups,dc=kunde,dc=de]/uniqueMember*" write by dn.base="uid=root,cn=users,dc=kunde,dc=de" write by * read include /etc/ldap/replica.conf