mirror of
https://github.com/YunoHost/moulinette.git
synced 2024-09-03 20:06:31 +02:00
94 lines
3.2 KiB
Text
94 lines
3.2 KiB
Text
|
serverID %(serverid)s
|
||
|
|
moduleload back_%(database)s
|
||
|
|
moduleload memberof
|
||
|
|
%(include_directives)s
|
||
|
|
loglevel %(loglevel)s
|
||
|
|
#allow bind_v2
|
||
|
|
database %(database)s
|
||
|
|
directory "%(directory)s"
|
||
|
|
suffix "%(suffix)s"
|
||
|
|
rootdn "%(rootdn)s"
|
||
|
|
rootpw "%(rootpw)s"
|
||
|
|
TLSCACertificateFile "%(cafile)s"
|
||
|
|
TLSCertificateFile "%(servercert)s"
|
||
|
|
TLSCertificateKeyFile "%(serverkey)s"
|
||
|
|
authz-regexp
|
||
|
|
"gidnumber=%(root_gid)s\\+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth"
|
||
|
|
"%(rootdn)s"
|
||
|
|
|
||
|
|
index objectClass eq
|
||
|
|
index uid,sudoUser eq,sub
|
||
|
|
index entryCSN,entryUUID eq
|
||
|
|
index cn,mail eq
|
||
|
|
index gidNumber,uidNumber eq
|
||
|
|
index member,memberUid,uniqueMember eq
|
||
|
|
index virtualdomain eq
|
||
|
|
|
||
|
|
# The userPassword by default can be changed
|
||
|
|
# by the entry owning it if they are authenticated.
|
||
|
|
# Others should not be able to see it, except the
|
||
|
|
# admin entry below
|
||
|
|
# These access lines apply to database #1 only
|
||
|
|
access to attrs=userPassword,shadowLastChange
|
||
|
|
by dn="cn=admin,dc=yunohost,dc=org" write
|
||
|
|
by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
|
||
|
|
by anonymous auth
|
||
|
|
by self write
|
||
|
|
by * none
|
||
|
|
|
||
|
|
# Personnal information can be changed by the entry
|
||
|
|
# owning it if they are authenticated.
|
||
|
|
# Others should be able to see it.
|
||
|
|
access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
|
||
|
|
by dn="cn=admin,dc=yunohost,dc=org" write
|
||
|
|
by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
|
||
|
|
by self write
|
||
|
|
by * read
|
||
|
|
|
||
|
|
# Ensure read access to the base for things like
|
||
|
|
# supportedSASLMechanisms. Without this you may
|
||
|
|
# have problems with SASL not knowing what
|
||
|
|
# mechanisms are available and the like.
|
||
|
|
# Note that this is covered by the 'access to *'
|
||
|
|
# ACL below too but if you change that as people
|
||
|
|
# are wont to do you'll still need this if you
|
||
|
|
# want SASL (and possible ldap_files things) to work
|
||
|
|
# happily.
|
||
|
|
access to dn.base="" by * read
|
||
|
|
|
||
|
|
# The admin dn has full write access, everyone else
|
||
|
|
# can read everything.
|
||
|
|
access to *
|
||
|
|
by dn="cn=admin,dc=yunohost,dc=org" write
|
||
|
|
by dn.exact="gidNumber=%(root_gid)s+uidnumber=%(root_uid)s,cn=peercred,cn=external,cn=auth" write
|
||
|
|
by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
|
||
|
|
by * read
|
||
|
|
|
||
|
|
# Configure Memberof Overlay (used for Yunohost permission)
|
||
|
|
|
||
|
|
# Link user <-> group
|
||
|
|
#dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
|
||
|
|
overlay memberof
|
||
|
|
memberof-group-oc groupOfNamesYnh
|
||
|
|
memberof-member-ad member
|
||
|
|
memberof-memberof-ad memberOf
|
||
|
|
memberof-dangling error
|
||
|
|
memberof-refint TRUE
|
||
|
|
|
||
|
|
# Link permission <-> groupes
|
||
|
|
#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
|
||
|
|
overlay memberof
|
||
|
|
memberof-group-oc permissionYnh
|
||
|
|
memberof-member-ad groupPermission
|
||
|
|
memberof-memberof-ad permission
|
||
|
|
memberof-dangling error
|
||
|
|
memberof-refint TRUE
|
||
|
|
|
||
|
|
# Link permission <-> user
|
||
|
|
#dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
|
||
|
|
overlay memberof
|
||
|
|
memberof-group-oc permissionYnh
|
||
|
|
memberof-member-ad inheritPermission
|
||
|
|
memberof-memberof-ad permission
|
||
|
|
memberof-dangling error
|
||
|
|
memberof-refint TRUE
|