mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-11-16 15:33:02 +01:00
209 lines
8.1 KiB
Text
209 lines
8.1 KiB
Text
|
## Racine
|
|||
|
access to dn.regex="^o=ls$" attrs="entry,children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * read
|
|||
|
|
|||
|
## Sysaccounts
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=sysaccounts,o=ls$" attrs="children"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification
|
|||
|
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="userPassword"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by anonymous auth
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier tous les attributs, les autres ne voient rien
|
|||
|
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * none
|
|||
|
|
|||
|
## Aliases
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=aliases,o=ls$" attrs="children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
### Les admins peuvent modifier tous les attributs, tout le monde peut voir
|
|||
|
access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
## Mailboxes
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=mailboxes,o=ls$" attrs="children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification
|
|||
|
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="userPassword"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by anonymous auth
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, l'appli mail le voir, les autres aucun droits
|
|||
|
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="mailbox,mailforwardingaddress"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=mail,ou=sysaccounts,o=ls" read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="uid,description,mail,mailalternateaddress,mailquota,eeallowedservices"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * read
|
|||
|
|
|||
|
## Groups
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=groups,o=ls$" attrs="children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent tout modifier, les authentifies peuvent tout voir
|
|||
|
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
|
|||
|
## Peoples
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=people,o=ls$" attrs="children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * read
|
|||
|
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * read
|
|||
|
|
|||
|
|
|||
|
### Les admins peuvent modifier le mot de passe, samba le mettre <20> jour, les autres peuvent s'en servir pour l'authentification
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="userPassword"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by self write
|
|||
|
by anonymous auth
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, l'appli mail les voir, les autres aucun droits
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailbox"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=mail,ou=sysaccounts,o=ls" read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="uid,mailquota,eeallowedservices,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaAcctFlags,sambaPrimaryGroupSID"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, le proprio aussi, gnarwl peut les modifier et mail les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailforwardingaddress"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=gnarwl,ou=sysaccounts,o=ls" write
|
|||
|
by self write
|
|||
|
by dn="uid=mail,ou=sysaccounts,o=ls" read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir, gnarwl peut les modifier
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationActive"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=gnarwl,ou=sysaccounts,o=ls" write
|
|||
|
by self write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, le proprio aussi, mail et gnarwl peuvent les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationForward"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by self write
|
|||
|
by dn="uid=mail,ou=sysaccounts,o=ls" read
|
|||
|
by dn="uid=gnarwl,ou=sysaccounts,o=ls" read
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, le proprio aussi, samba aussi
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by self write
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="c,cn,jpegPhoto,personalTitle,sn,givenName,postalAddress,postalCode,l,st,telephoneNumber,mobile,fax,mail,mailalternateaddress,maildrop,description,vacationInfo,vacationEnd"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by self write
|
|||
|
by users read
|
|||
|
by * read
|
|||
|
|
|||
|
## Computers
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=computers,o=ls$" attrs="children,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="entry,objectclass"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, samba peut les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by * none
|
|||
|
|
|||
|
### Les admins peuvent modifier ces attributs, les authentifi<66>s peuvent les voir
|
|||
|
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="cn,uid,uidNumber,gidNumber,homeDirectory,sambaSID,sambaPrimaryGroupSID,sambaAcctFlags,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
|
|||
|
## Les authentifies peuvent voir les noeuds et les admins peuvent en ajouter
|
|||
|
access to * attrs="entry"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
## SambaDomains
|
|||
|
### Ajout d'entrees par les admins
|
|||
|
access to dn.regex="^ou=sambadomains,o=ls$"
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by dn="uid=samba,ou=sysaccounts,o=ls" read
|
|||
|
by users read
|
|||
|
by * none
|
|||
|
|
|||
|
## Le reste
|
|||
|
access to *
|
|||
|
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
|
|||
|
by * none
|