slapd.conf/ACLs for woody's slapd

[Andreas Schuldei]

here is a slapd.conf with ACLs that give jradmin and admins some
special powers. it works with woodys slapd 2.0. i tested both the
wlus debian package and the acls on a skolelinux 1.0
installation. 

the wlus debian package from yesterdays UR: was updated in the
meantime to fix minor bugs.

note that you still need the lis.schema out of the tar archive
posted yesterday.

i am not yet totally happy with what admins can do. those ACLs
are just starting to form up.

# The skolelinux slapd configuration file
#
# $Id: slapd-debian-edu.conf,v 1.4 2004/05/21 21:13:52 finnarne-guest Exp $

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/courier.schema
include         /etc/ldap/schema/automount.schema
include         /etc/ldap/schema/lis.schema
# Include the LDAP-schemas needed by samba.
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
# Don't include the LDAP-schemas used by eduPerson yet.
#include                /etc/ldap/schema/EduPerson.schema
#include                /etc/ldap/schema/norEduPerson.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
#loglevel       128
loglevel        0

# keep the db in ram for better performance
sizelimit 2000

cachesize 10000
dbcachesize 10000000
#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database        ldbm

# The base of your directory
suffix          "dc=skole,dc=skolelinux,dc=no"

# Where the database file are physically stored
directory       "/var/lib/ldap"

index default pres,eq
index objectclass               pres,eq
index uid                       pres,eq
#index eduPersonPrincipalName   pres,eq
index cn,mail,surname,givenname pres,eq,sub
index uidNumber,gidNumber       pres,eq
index member                    pres,eq
index memberUid                 pres,eq
index userPassword              eq
# Indexes used by Samba2
#index lmPassword               eq
#index ntPassword               eq
# Indexes used by Samba3
index sambaSID                  eq
index sambaNTPassword           eq
index sambaLMPassword           eq
# Indices special for WLUS
index groupType                 eq


# Save the time that the entry gets modified
lastmod on

# Default access for passwords
# PS: You have to use an encrypted channel(with either SSL or TLS) to 
#     access userPassword: 'ssf=128'.
# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
#

access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" 
attrs=userPassword 
        by self ssf=128 =wx 
        by * auth

access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" 
        by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write 
        by * read

access to attrs=userPassword 
        by self ssf=128 =wx
        by anonymous ssf=128 auth 
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
        by * none break
access to filter=(writeableBy=admins) attrs=userPassword
        by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 
=wx
        by * none break
access to filter=(writeableBy=jradmins) attrs=userPassword
        by group.base="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" 
ssf=128 =wx
        by * none

#
# Ensure samba password hashes.
#

# Restricted access to some samba attributes
# (allow access for admin to don't break old installations)
access to attrs=sambaLMPassword,sambaNTPassword
        by self ssf=128 write
        by anonymous ssf=128 auth
        by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 
write
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 
write
        by * none

# Access to samba attributs
access to 
attribute=objectClass,cn,uid,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet,sambaAcctFlags
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 
write
        by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 
write
        by * read

# We store machine-accounts for samba in a private ou
access to dn="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
    by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
    by dn.base="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 
write
    by * read
        
# Defaultaccess
access to * 
        by dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" write
        by group.base="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" write 
        by * read

# End of ldapd configuration file

TLSCipherSuite          HIGH:MEDIUM:SSLv2
TLSCertificateFile      /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
TLSCACertificateFile    /etc/ldap/ssl/slapd.pem


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]