|
19 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
19 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
20 |
else: |
20 |
else: |
21 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
21 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
22 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
22 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
23 |
print ' by * read break' |
23 |
print ' by * read break' |
24 |
|
24 |
|
25 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base |
25 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=children,entry' % ldap_base |
|
28 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
28 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
29 |
else: |
29 |
else: |
30 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
30 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
31 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
31 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
32 |
print ' by * read break' |
32 |
print ' by * read break' |
33 |
|
33 |
|
34 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base |
34 |
print 'access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,%s$" attrs=univentionLastUsedValue' % ldap_base |
|
37 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
37 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
38 |
else: |
38 |
else: |
39 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
39 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
40 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
40 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
41 |
print ' by * read break' |
41 |
print ' by * read break' |
42 |
|
42 |
|
43 |
print '## to prevent uidNumber=0 modifications' |
43 |
print '## to prevent uidNumber=0 modifications' |
44 |
print 'access to attrs=uidNumber value=0' |
44 |
print 'access to attrs=uidNumber value=0' |
45 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
45 |
print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
46 |
print ' by * read break' |
46 |
print ' by * read break' |
47 |
|
47 |
|
48 |
print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base ) |
48 |
print 'access to dn.subtree="cn=computers,%s" attrs=children,entry filter="(!(uidNumber=0))"' % ( ldap_base ) |
|
51 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
51 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
52 |
else: |
52 |
else: |
53 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
53 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
54 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
54 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
55 |
print ' by * read break' |
55 |
print ' by * read break' |
56 |
|
56 |
|
57 |
print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts) |
57 |
print 'access to dn.children="%s" filter="(|(objectClass=univentionWindows)(&(objectClass=univentionGroup)(cn=%s)))"' % ( ldap_base, groups_default_windowshosts) |
|
60 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
60 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
61 |
else: |
61 |
else: |
62 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
62 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
63 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
63 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
64 |
print ' by * read break' |
64 |
print ' by * read break' |
65 |
|
65 |
|
66 |
print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base ) |
66 |
print 'access to dn.children="%s" filter="(objectClass=sambaDomain)"' % ( ldap_base ) |
|
69 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
69 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
70 |
else: |
70 |
else: |
71 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
71 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
72 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
72 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
73 |
print ' by * read break' |
73 |
print ' by * read break' |
74 |
|
74 |
|
75 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
75 |
print 'access to dn.regex="^cn=.*,cn=dc,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
|
79 |
else: |
79 |
else: |
80 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
80 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
81 |
print ' by self %s' % ( usr ) |
81 |
print ' by self %s' % ( usr ) |
82 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
82 |
print ' by dn.children="cn=dc,cn=computers,%s" read' % ( ldap_base ) |
83 |
print ' by * none' |
83 |
print ' by * none' |
84 |
|
84 |
|
85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
85 |
print 'access to dn.regex="^cn=.*,cn=memberserver,cn=computers,%s$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange' % ( ldap_base ) |
|
88 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
88 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
89 |
else: |
89 |
else: |
90 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
90 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
91 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
91 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
92 |
print ' by self %s' % ( usr ) |
92 |
print ' by self %s' % ( usr ) |
93 |
print ' by * none' |
93 |
print ' by * none' |
94 |
|
94 |
|
|
98 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
98 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
99 |
else: |
99 |
else: |
100 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
100 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
101 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
101 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
102 |
print ' by * read break' |
102 |
print ' by * read break' |
103 |
|
103 |
|
104 |
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword' |
104 |
print 'access to attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange,sambaPasswordHistory,sambaClearTextPassword,sambaPreviousClearTextPassword' |
|
107 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
107 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
108 |
else: |
108 |
else: |
109 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
109 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
110 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
110 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
111 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
111 |
print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
112 |
print ' by * none' |
112 |
print ' by * none' |
113 |
|
113 |
|
114 |
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange' |
114 |
print 'access to attrs=shadowMax,krb5PasswordEnd,shadowLastChange' |
|
117 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
117 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
118 |
else: |
118 |
else: |
119 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
119 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
120 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
120 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
121 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
121 |
print ' by dn.children="cn=memberserver,cn=computers,%s" read' % ( ldap_base ) |
122 |
print ' by * read break' |
122 |
print ' by * read break' |
123 |
|
123 |
|
124 |
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base ) |
124 |
print 'access to dn.base="cn=idmap,cn=univention,%s"' % ( ldap_base ) |
|
127 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
127 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
128 |
else: |
128 |
else: |
129 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
129 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
130 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
130 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
131 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
131 |
print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
132 |
print ' by * none' |
132 |
print ' by * none' |
133 |
|
133 |
|
134 |
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base ) |
134 |
print 'access to dn.children="cn=idmap,cn=univention,%s" filter="(&(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))(!(objectClass=posixAccount)))"' % ( ldap_base ) |
|
137 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
137 |
print ' by set="user & [cn=%s,cn=groups,%s]/uniqueMember*" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
138 |
else: |
138 |
else: |
139 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
139 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % ( groups_default_domainadmins, ldap_base, usr ) |
140 |
print ' by dn.onelevel="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
140 |
print ' by dn.children="cn=dc,cn=computers,%s" %s' % ( ldap_base, usr ) |
141 |
print ' by dn.onelevel="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
141 |
print ' by dn.children="cn=memberserver,cn=computers,%s" write' % ( ldap_base ) |
142 |
print ' by * none' |
142 |
print ' by * none' |
143 |
|
143 |
|
144 |
print 'access to *' |
144 |
print 'access to *' |