Alexandros Kosiaris has uploaded a new change for review.
https://gerrit.wikimedia.org/r/163758
Change subject: openldap: fix sambaNTpassword aci
......................................................................
openldap: fix sambaNTpassword aci
radiusagent needs it
Change-Id: Ib2d1727c4abcad40c90ee461d45960ff90fb8470
---
M modules/openldap/templates/slapd.erb
1 file changed, 9 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/58/163758/1
diff --git a/modules/openldap/templates/slapd.erb
b/modules/openldap/templates/slapd.erb
index ebfe05e..e85b2fb 100644
--- a/modules/openldap/templates/slapd.erb
+++ b/modules/openldap/templates/slapd.erb
@@ -134,12 +134,20 @@
checkpoint 512 30
### Access lists
+# For radius to work we need
+
+access to attrs=sambaNTPassword
+ by dn="cn=admin,<%= @suffix %>" write
+ by dn="cn=radiusagent,ou=other,dc=corp,dc=wikimedia,dc=org" read
+ by anonymous auth
+ by self write
+ by * none
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
-access to attrs=userPassword,shadowLastChange,sambaNTPassword
+access to attrs=userPassword,shadowLastChange
by dn="cn=admin,<%= @suffix %>" write
by anonymous auth
by self write
--
To view, visit https://gerrit.wikimedia.org/r/163758
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2d1727c4abcad40c90ee461d45960ff90fb8470
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
