Alexandros Kosiaris has submitted this change and it was merged.
Change subject: openldap: Prepend extra ACLs to base ACLs
......................................................................
openldap: Prepend extra ACLs to base ACLs
Since base ACLs are more generic than the per domain ACLs, the latter
should appear first. Amend those so that the right we want per domain
are granted to respective users without breaking the rest of the tree
Change-Id: I84abf3f9391239a52b6d7b2b78b37468c24b3aaf
---
M modules/openldap/manifests/init.pp
M modules/openldap/templates/base-acls.erb
M modules/openldap/templates/corp-acls.erb
M modules/openldap/templates/labs-acls.erb
4 files changed, 13 insertions(+), 8 deletions(-)
Approvals:
Muehlenhoff: Looks good to me, but someone else must approve
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/openldap/manifests/init.pp
b/modules/openldap/manifests/init.pp
index 53a3f10..a74bbef 100644
--- a/modules/openldap/manifests/init.pp
+++ b/modules/openldap/manifests/init.pp
@@ -117,7 +117,7 @@
owner => 'root',
group => 'root',
mode => '0444',
- content => template('openldap/base-acls.erb', $extra_acls),
+ content => template($extra_acls, 'openldap/base-acls.erb'),
}
} else {
file { '/etc/ldap/acls.conf' :
diff --git a/modules/openldap/templates/base-acls.erb
b/modules/openldap/templates/base-acls.erb
index 25366f5..edb832f 100644
--- a/modules/openldap/templates/base-acls.erb
+++ b/modules/openldap/templates/base-acls.erb
@@ -30,3 +30,9 @@
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
+
+# everyone can read everything else not already defined
+# in above rules and write self
+access to *
+ by self write
+ by * read
diff --git a/modules/openldap/templates/corp-acls.erb
b/modules/openldap/templates/corp-acls.erb
index 9e27efb..badea98 100644
--- a/modules/openldap/templates/corp-acls.erb
+++ b/modules/openldap/templates/corp-acls.erb
@@ -1,6 +1,5 @@
-# The admin dn has full write access, everyone else
-# can read everything.
+# The admin dn has full write access
+# The break here means nobody else will be considered for this rule
access to *
by dn="cn=admin,<%= @suffix %>" write
- by self write
- by * read
+ by * break
diff --git a/modules/openldap/templates/labs-acls.erb
b/modules/openldap/templates/labs-acls.erb
index 2610299..0933e0e 100644
--- a/modules/openldap/templates/labs-acls.erb
+++ b/modules/openldap/templates/labs-acls.erb
@@ -1,7 +1,7 @@
# The cn=admin DN and the members of the "Directory Managers" group
-# have full write access, everyone else can read everything.
+# have full write access. The break here means that others will not be
+# considered for this rule
access to *
by dn="cn=admin,<%= @suffix %>" write
by group/groupOfUniqueNames/uniqueMember="cn=Directory
Managers,ou=groups,dc=wikimedia,dc=org" write
- by self write
- by * read
+ by * break
--
To view, visit https://gerrit.wikimedia.org/r/257690
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I84abf3f9391239a52b6d7b2b78b37468c24b3aaf
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
