## Racine access to dn.regex="^o=ls$" attrs="entry,children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * read ## Sysaccounts ### Ajout d'entrees par les admins access to dn.regex="^ou=sysaccounts,o=ls$" attrs="children" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none ### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="userPassword" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by anonymous auth by * none ### Les admins peuvent modifier tous les attributs, les autres ne voient rien access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * none ## Aliases ### Ajout d'entrees par les admins access to dn.regex="^ou=aliases,o=ls$" attrs="children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read ### Les admins peuvent modifier tous les attributs, tout le monde peut voir access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read ## Mailboxes ### Ajout d'entrees par les admins access to dn.regex="^ou=mailboxes,o=ls$" attrs="children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read ### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="userPassword" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by anonymous auth by * none ### Les admins peuvent modifier ces attributs, l'appli mail le voir, les autres aucun droits access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="mailbox,mailforwardingaddress" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=mail,ou=sysaccounts,o=ls" read by * none ### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="uid,description,mail,mailalternateaddress,mailquota,eeallowedservices" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * read ## Groups ### Ajout d'entrees par les admins access to dn.regex="^ou=groups,o=ls$" attrs="children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none ### Les admins peuvent tout modifier, les authentifies peuvent tout voir access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none ## Peoples ### Ajout d'entrees par les admins access to dn.regex="^ou=people,o=ls$" attrs="children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * read access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * read ### Les admins peuvent modifier le mot de passe, samba le mettre à jour, les autres peuvent s'en servir pour l'authentification access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="userPassword" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by self write by anonymous auth by * none ### Les admins peuvent modifier ces attributs, l'appli mail les voir, les autres aucun droits access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailbox" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=mail,ou=sysaccounts,o=ls" read by * none ### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="uid,mailquota,eeallowedservices,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaAcctFlags,sambaPrimaryGroupSID" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none ### Les admins peuvent modifier ces attributs, le proprio aussi, gnarwl peut les modifier et mail les voir access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailforwardingaddress" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=gnarwl,ou=sysaccounts,o=ls" write by self write by dn="uid=mail,ou=sysaccounts,o=ls" read by * none ### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir, gnarwl peut les modifier access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationActive" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=gnarwl,ou=sysaccounts,o=ls" write by self write by users read by * none ### Les admins peuvent modifier ces attributs, le proprio aussi, mail et gnarwl peuvent les voir access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationForward" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by self write by dn="uid=mail,ou=sysaccounts,o=ls" read by dn="uid=gnarwl,ou=sysaccounts,o=ls" read by * none ### Les admins peuvent modifier ces attributs, le proprio aussi, samba aussi access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="sambaLMPassword,sambaNTPassword" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by self write by * none ### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="c,cn,jpegPhoto,personalTitle,sn,givenName,postalAddress,postalCode,l,st,telephoneNumber,mobile,fax,mail,mailalternateaddress,maildrop,description,vacationInfo,vacationEnd" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by self write by users read by * read ## Computers ### Ajout d'entrees par les admins access to dn.regex="^ou=computers,o=ls$" attrs="children,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by users read by * none access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="entry,objectclass" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by users read by * none ### Les admins peuvent modifier ces attributs, samba peut les voir access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="sambaLMPassword,sambaNTPassword" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by * none ### Les admins peuvent modifier ces attributs, les authentifiés peuvent les voir access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="cn,uid,uidNumber,gidNumber,homeDirectory,sambaSID,sambaPrimaryGroupSID,sambaAcctFlags,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" write by users read by * none ## Les authentifies peuvent voir les noeuds et les admins peuvent en ajouter access to * attrs="entry" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by users read by * none ## SambaDomains ### Ajout d'entrees par les admins access to dn.regex="^ou=sambadomains,o=ls$" by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by dn="uid=samba,ou=sysaccounts,o=ls" read by users read by * none ## Le reste access to * by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write by * none