View | Details | Raw Unified | Return to bug 34554
Collapse All | Expand All

(-)conffiles/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end (-18 / +18 lines)
 Lines 19-25    Link Here 
19 
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
 19 
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
20 
	else:
 20 
	else:
21 
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
 21 
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
22 
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
 22 
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
23 
	print '   by * read break'
 23 
	print '   by * read break'
24
24
25 
	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base
 25 
	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base
 Lines 28-34    Link Here 
28 
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
 28 
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )
29 
	else:
 29 
	else:
30 
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
 30 
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )
31 
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
 31 
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )
32 
	print '   by * read break'
 32 
	print '   by * read break'
33 

          33
          

        

        

          34
          
	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base

          34
          
	print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base

        

  

    

    

       Lines 37-48
       
    
  Link Here 
    

  

        

          37
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          37
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          38
          
	else:

          38
          
	else:

        

        

          39
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          39
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              40
              
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              40
              
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          41
          
	print '   by * read break'

          41
          
	print '   by * read break'

        

        

          42
          

          42
          

        

        

          43
          
	print '## to prevent uidNumber=0 modifications'

          43
          
	print '## to prevent uidNumber=0 modifications'

        

        

          44
          
	print 'access to attrs=uidNumber value=0'

          44
          
	print 'access to attrs=uidNumber value=0'

        

          
            

              45
              
	print '   by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base )


              45
              
	print '   by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base )

            

        

          46
          
	print '   by * read break'

          46
          
	print '   by * read break'

        

        

          47
          

          47
          

        

        

          48
          
	print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base )

          48
          
	print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base )

        

  

    

    

       Lines 51-57
       
    
  Link Here 
    

  

        

          51
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          51
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          52
          
	else:

          52
          
	else:

        

        

          53
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          53
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              54
              
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              54
              
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          55
          
	print '   by * read break'

          55
          
	print '   by * read break'

        

        

          56
          

          56
          

        

        

          57
          
	print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts)

          57
          
	print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts)

        

  

    

    

       Lines 60-66
       
    
  Link Here 
    

  

        

          60
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          60
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          61
          
	else:

          61
          
	else:

        

        

          62
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          62
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              63
              
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              63
              
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          64
          
	print '   by * read break'

          64
          
	print '   by * read break'

        

        

          65
          

          65
          

        

        

          66
          
	print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base )

          66
          
	print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base )

        

  

    

    

       Lines 69-75
       
    
  Link Here 
    

  

        

          69
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          69
          
		print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          70
          
	else:

          70
          
	else:

        

        

          71
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          71
          
		print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              72
              
	print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              72
              
	print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          73
          
	print '   by * read break'

          73
          
	print '   by * read break'

        

        

          74
          

          74
          

        

        

          75
          
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )

          75
          
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )

        

  

    

    

       Lines 79-85
       
    
  Link Here 
    

  

        

          79
          
else:

          79
          
else:

        

        

          80
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          80
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          81
          
print '   by self %s' % ( usr )

          81
          
print '   by self %s' % ( usr )

        

          
            

              82
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base )


              82
              
print '   by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base )

            

        

          83
          
print '   by * none'

          83
          
print '   by * none'

        

        

          84
          

          84
          

        

        

          85
          
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )

          85
          
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base )

        

  

    

    

       Lines 88-94
       
    
  Link Here 
    

  

        

          88
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          88
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          89
          
else:

          89
          
else:

        

        

          90
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          90
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              91
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              91
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          92
          
print '   by self %s' % ( usr )

          92
          
print '   by self %s' % ( usr )

        

        

          93
          
print '   by * none'

          93
          
print '   by * none'

        

        

          94
          

          94
          

        

  

    

    

       Lines 98-104
       
    
  Link Here 
    

  

        

          98
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          98
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          99
          
else:

          99
          
else:

        

        

          100
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          100
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              101
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              101
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

        

          102
          
print '   by * read break'

          102
          
print '   by * read break'

        

        

          103
          

          103
          

        

        

          104
          
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword'

          104
          
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword'

        

  

    

    

       Lines 107-114
       
    
  Link Here 
    

  

        

          107
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          107
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          108
          
else:

          108
          
else:

        

        

          109
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          109
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              110
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              110
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

            

              111
              
print '   by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base )


              111
              
print '   by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base )

            

        

          112
          
print '   by * none'

          112
          
print '   by * none'

        

        

          113
          

          113
          

        

        

          114
          
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange'

          114
          
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange'

        

  

    

    

       Lines 117-124
       
    
  Link Here 
    

  

        

          117
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          117
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          118
          
else:

          118
          
else:

        

        

          119
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          119
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              120
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              120
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

            

              121
              
print '   by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base )


              121
              
print '   by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base )

            

        

          122
          
print '   by * read break'

          122
          
print '   by * read break'

        

        

          123
          

          123
          

        

        

          124
          
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base )

          124
          
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base )

        

  

    

    

       Lines 127-134
       
    
  Link Here 
    

  

        

          127
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          127
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          128
          
else:

          128
          
else:

        

        

          129
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          129
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              130
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              130
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

            

              131
              
print '   by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base )


              131
              
print '   by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base )

            

        

          132
          
print '   by * none'

          132
          
print '   by * none'

        

        

          133
          

          133
          

        

        

          134
          
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base )

          134
          
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base )

        

  

    

    

       Lines 137-144
       
    
  Link Here 
    

  

        

          137
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

          137
          
	print '   by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

        

          138
          
else:

          138
          
else:

        

        

          139
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

          139
          
	print '   by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr )

        

          
            

              140
              
print '   by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )


              140
              
print '   by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr )

            

            

              141
              
print '   by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base )


              141
              
print '   by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base )

            

        

          142
          
print '   by * none'

          142
          
print '   by * none'

        

        

          143
          

          143
          

        

        

          144
          
print 'access to *'

          144
          
print 'access to *'

        






  

  Return to bug 34554