|
13 |
def replace_ucr_variables(template): |
13 |
def replace_ucr_variables(template): |
14 |
variable_token = re.compile('@[$]@') |
14 |
variable_token = re.compile('@[$]@') |
15 |
|
15 |
|
16 |
dir_ucsschool = { } |
16 |
dir_ucsschool = { |
17 |
dir_ucsschool[ 'DISTRICT' ] = '' |
17 |
'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '', |
18 |
if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): |
18 |
'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'), |
19 |
dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,' |
19 |
'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'), |
20 |
dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') |
20 |
'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'), |
21 |
dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') |
21 |
'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'), |
22 |
dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') |
22 |
'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'), |
23 |
dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') |
23 |
'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'), |
24 |
dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') |
24 |
'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'), |
25 |
dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') |
25 |
'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), |
|
|
26 |
'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), |
27 |
'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), |
28 |
'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), |
29 |
} |
26 |
|
30 |
|
27 |
|
|
|
28 |
while 1: |
31 |
while 1: |
29 |
i = variable_token.finditer(template) |
32 |
i = variable_token.finditer(template) |
30 |
try: |
33 |
try: |
|
39 |
return template |
42 |
return template |
40 |
|
43 |
|
41 |
|
44 |
|
42 |
|
45 |
if configRegistry.is_true('ucsschool/ldap/district/enable','no'): |
43 |
if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): |
|
|
44 |
aclset += """ |
46 |
aclset += """ |
45 |
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig) |
47 |
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig) |
46 |
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$" |
48 |
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$" |
47 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
49 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
48 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
50 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
49 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
51 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
50 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
52 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
51 |
by * none break |
53 |
by * none break |
52 |
|
54 |
|
53 |
""" |
55 |
""" |
|
61 |
|
63 |
|
62 |
# Slave controllers and memberservers require write access to virtual machine manager objects |
64 |
# Slave controllers and memberservers require write access to virtual machine manager objects |
63 |
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" |
65 |
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" |
64 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
66 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
65 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
67 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
66 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
68 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
67 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
69 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
68 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
70 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
69 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
71 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
70 |
by * read break |
72 |
by * read break |
71 |
|
73 |
|
72 |
access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" |
74 |
access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" |
73 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
75 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
74 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
76 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
75 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
77 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
76 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
78 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
77 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
79 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
78 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
80 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
79 |
by * read break |
81 |
by * read break |
80 |
|
82 |
|
81 |
access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry |
83 |
access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry |
82 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
84 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
83 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
85 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
84 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
86 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
85 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
87 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
86 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
88 |
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write |
87 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
89 |
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write |
88 |
by * read break |
90 |
by * read break |
|
89 |
|
91 |
|
90 |
# Slave controller and memberservers may replicate the Virtual Machine Manager container |
92 |
# Slave controller and memberservers may replicate the Virtual Machine Manager container |
91 |
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@" |
93 |
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@" |
92 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
94 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
93 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
95 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
94 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
96 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
95 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
97 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
96 |
by * read break |
98 |
by * read break |
97 |
|
99 |
|
98 |
# Slave controller and memberservers may replicate the mail container |
100 |
# Slave controller and memberservers may replicate the mail container |
99 |
access to dn.subtree="cn=mail,@%@ldap/base@%@" |
101 |
access to dn.subtree="cn=mail,@%@ldap/base@%@" |
100 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
102 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
101 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
103 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
102 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
104 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
103 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
105 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
104 |
by * read break |
106 |
by * read break |
105 |
|
107 |
|
106 |
access to dn.regex="^@%@ldap/base@%@$$" |
108 |
access to dn.regex="^@%@ldap/base@%@$$" |
|
109 |
|
111 |
|
110 |
# DC Slaves need write access to the members of the group Domain Computers |
112 |
# DC Slaves need write access to the members of the group Domain Computers |
111 |
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" |
113 |
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" |
112 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
114 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
113 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
115 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
114 |
by * none break |
116 |
by * none break |
115 |
|
117 |
|
116 |
# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen |
118 |
# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen |
117 |
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$" |
119 |
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$" |
118 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
120 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
119 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
121 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
120 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
122 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
121 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
123 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
122 |
by * none break |
124 |
by * none break |
123 |
|
125 |
|
124 |
# Slave DCs can read MS system container |
126 |
# Slave DCs can read MS system container |
125 |
access to dn.base="cn=system,@%@ldap/base@%@" |
127 |
access to dn.base="cn=system,@%@ldap/base@%@" |
126 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
128 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
127 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
129 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
128 |
by * none break |
130 |
by * none break |
129 |
|
131 |
|
130 |
# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects |
132 |
# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects |
131 |
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" |
133 |
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" |
132 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
134 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
133 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
135 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
134 |
by * none break |
136 |
by * none break |
135 |
|
137 |
|
136 |
# Slave DCs can read and write policy containers for MS WMI filter objects |
138 |
# Slave DCs can read and write policy containers for MS WMI filter objects |
137 |
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" |
139 |
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" |
138 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
140 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
139 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
141 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
140 |
by * none break |
142 |
by * none break |
141 |
|
143 |
|
142 |
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern |
144 |
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern |
|
145 |
by * none break |
147 |
by * none break |
146 |
|
148 |
|
147 |
# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten |
149 |
# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten |
148 |
access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry |
150 |
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry |
149 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write |
151 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write |
150 |
by * none break |
152 |
by * none break |
151 |
|
153 |
|
152 |
access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" |
154 |
access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" |
153 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write |
155 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write |
154 |
by * none break |
156 |
by * none break |
155 |
|
157 |
|
|
224 |
|
226 |
|
225 |
# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers |
227 |
# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers |
226 |
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" |
228 |
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" |
227 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
229 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
228 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
230 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
229 |
by * none break |
231 |
by * none break |
230 |
|
232 |
|
231 |
# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users |
233 |
# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users |
232 |
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" |
234 |
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" |
233 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
235 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
234 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
236 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
235 |
by * none break |
237 |
by * none break |
236 |
|
238 |
|
237 |
# domaincontroller slaves and memberservers may replicate the OU "domain controllers" |
239 |
# domaincontroller slaves and memberservers may replicate the OU "domain controllers" |
238 |
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@" |
240 |
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@" |
239 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
241 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
240 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
242 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
241 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
243 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
242 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
244 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
243 |
by * read break |
245 |
by * read break |
244 |
|
246 |
|
245 |
# Memberserver duerfen bestimmte Attribute lesen |
247 |
# Memberserver duerfen bestimmte Attribute lesen |
246 |
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange |
248 |
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange |
247 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
249 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
248 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
250 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
249 |
by * none break |
251 |
by * none break |
250 |
|
252 |
|
251 |
# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.) |
253 |
# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.) |
252 |
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts |
254 |
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts |
253 |
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" |
255 |
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" |
254 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
256 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
255 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
257 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
256 |
by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write |
258 |
by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write |
257 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
259 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
258 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
260 |
by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
259 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
261 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
260 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
262 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
261 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read |
263 |
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read |
262 |
by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break |
264 |
by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break |
263 |
by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none |
265 |
by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none |
|
265 |
|
267 |
|
266 |
# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) |
268 |
# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) |
267 |
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry |
269 |
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry |
268 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
270 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
269 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
271 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
270 |
by * none break |
272 |
by * none break |
271 |
|
273 |
|
272 |
access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" |
274 |
access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" |
273 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
275 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
274 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
276 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write |
275 |
by * none break |
277 |
by * none break |
276 |
|
278 |
|
277 |
# Slave-Controller duerfen nagios-Container und Inhalt replizieren |
279 |
# Slave-Controller duerfen nagios-Container und Inhalt replizieren |
278 |
access to dn.subtree="cn=nagios,@%@ldap/base@%@" |
280 |
access to dn.subtree="cn=nagios,@%@ldap/base@%@" |
279 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
281 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
280 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
282 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
281 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
283 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
282 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
284 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read |
283 |
by * none break |
285 |
by * none break |
284 |
|
286 |
|
285 |
# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen |
287 |
# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen |
|
290 |
|
292 |
|
291 |
# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht |
293 |
# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht |
292 |
access to * |
294 |
access to * |
293 |
by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
295 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
294 |
by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
296 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
295 |
by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
297 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
296 |
by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
298 |
by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none |
297 |
by * none break |
299 |
by * none break |
298 |
|
300 |
|
299 |
""" |
301 |
""" |