ldapsaisie/trunk/lsexample/permissions-ls.conf
Benjamin Renard 773350cbae - Passage en UTF-8 de tout les fichiers sources
- Ajout du meta UTF-8 (top.tpl)
2008-04-25 14:09:27 +00:00

208 lines
8.1 KiB
Text

## Racine
access to dn.regex="^o=ls$" attrs="entry,children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * read
## Sysaccounts
### Ajout d'entrees par les admins
access to dn.regex="^ou=sysaccounts,o=ls$" attrs="children"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$" attrs="userPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by anonymous auth
by * none
### Les admins peuvent modifier tous les attributs, les autres ne voient rien
access to dn.regex="^uid=[^,]+,ou=sysaccounts,o=ls$"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * none
## Aliases
### Ajout d'entrees par les admins
access to dn.regex="^ou=aliases,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
### Les admins peuvent modifier tous les attributs, tout le monde peut voir
access to dn.regex="^mail=[^,]+,ou=aliases,o=ls$"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
## Mailboxes
### Ajout d'entrees par les admins
access to dn.regex="^ou=mailboxes,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
### Les admins peuvent modifier le mot de passe, les autres peuvent s'en servir pour l'authentification
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="userPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by anonymous auth
by * none
### Les admins peuvent modifier ces attributs, l'appli mail le voir, les autres aucun droits
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="mailbox,mailforwardingaddress"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=mail,ou=sysaccounts,o=ls" read
by * none
### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=mailboxes,o=ls$" attrs="uid,description,mail,mailalternateaddress,mailquota,eeallowedservices"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * read
## Groups
### Ajout d'entrees par les admins
access to dn.regex="^ou=groups,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
### Les admins peuvent tout modifier, les authentifies peuvent tout voir
access to dn.regex="^cn=[^,]+,ou=groups,o=ls$"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
## Peoples
### Ajout d'entrees par les admins
access to dn.regex="^ou=people,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * read
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * read
### Les admins peuvent modifier le mot de passe, samba le mettre à jour, les autres peuvent s'en servir pour l'authentification
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="userPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by self write
by anonymous auth
by * none
### Les admins peuvent modifier ces attributs, l'appli mail les voir, les autres aucun droits
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailbox"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=mail,ou=sysaccounts,o=ls" read
by * none
### Les admins peuvent modifier ces attributs, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="uid,mailquota,eeallowedservices,uidNumber,gidNumber,homeDirectory,loginShell,sambaSID,sambaAcctFlags,sambaPrimaryGroupSID"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, gnarwl peut les modifier et mail les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="mailforwardingaddress"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=gnarwl,ou=sysaccounts,o=ls" write
by self write
by dn="uid=mail,ou=sysaccounts,o=ls" read
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir, gnarwl peut les modifier
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationActive"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=gnarwl,ou=sysaccounts,o=ls" write
by self write
by users read
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, mail et gnarwl peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="vacationForward"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by self write
by dn="uid=mail,ou=sysaccounts,o=ls" read
by dn="uid=gnarwl,ou=sysaccounts,o=ls" read
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, samba aussi
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by self write
by * none
### Les admins peuvent modifier ces attributs, le proprio aussi, les authentifies peuvent les voir
access to dn.regex="^uid=[^,]+,ou=people,o=ls$" attrs="c,cn,jpegPhoto,personalTitle,sn,givenName,postalAddress,postalCode,l,st,telephoneNumber,mobile,fax,mail,mailalternateaddress,maildrop,description,vacationInfo,vacationEnd"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by self write
by users read
by * read
## Computers
### Ajout d'entrees par les admins
access to dn.regex="^ou=computers,o=ls$" attrs="children,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by users read
by * none
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="entry,objectclass"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by users read
by * none
### Les admins peuvent modifier ces attributs, samba peut les voir
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="sambaLMPassword,sambaNTPassword"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by * none
### Les admins peuvent modifier ces attributs, les authentifiés peuvent les voir
access to dn.regex="^uid=[^,]+,ou=computers,o=ls$" attrs="cn,uid,uidNumber,gidNumber,homeDirectory,sambaSID,sambaPrimaryGroupSID,sambaAcctFlags,sambaPwdCanChange,sambaPwdMustChange,sambaPwdLastSet"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" write
by users read
by * none
## Les authentifies peuvent voir les noeuds et les admins peuvent en ajouter
access to * attrs="entry"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by users read
by * none
## SambaDomains
### Ajout d'entrees par les admins
access to dn.regex="^ou=sambadomains,o=ls$"
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by dn="uid=samba,ou=sysaccounts,o=ls" read
by users read
by * none
## Le reste
access to *
by group/lsgroup/uniqueMember="cn=adminldap,ou=groups,o=ls" write
by * none