ldapsaisie/lsexample/permissions-ls.conf

95 lines
3.6 KiB
Text
Raw Normal View History

## Racine
access to dn.regex="^o=ls$" attrs="entry,children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * read
## Groups
### Ajout d'entrees par les admins
access to dn.regex="^ou=groups,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * none
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * none
### Les admins peuvent tout modifier, les authentifies peuvent tout voir
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * none
## Peoples
### Ajout d'entrees par les admins
access to dn.regex="^ou=people,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * read
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * read
### Les admins peuvent modifier le mot de passe, samba le mettre à jour, les autres peuvent s'en servir pour l'authentification
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="userPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by self write
by anonymous auth
by * none
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="userPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by anonymous auth
by * none
### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="uid,lsallowedservices,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaAcctFlags,sambaPrimaryGroupSID"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, samba aussi
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by self write
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="c,cn,jpegPhoto,personalTitle,sn,givenName,postalAddress,postalCode,l,st,telephoneNumber,mobile,fax,mail,description"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by self write
by users read
by * read
## Les authentifies peuvent voir les noeuds et les admins peuvent en ajouter
access to * attrs="entry"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by users read
by * none
## Le reste
access to *
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=ldapsaisie,ou=sysaccounts,o=ls" write
by * none