docker/ldap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update ACLs

Browse Source
This commit is contained in:
Deon George 2023-04-01 10:56:40 +11:00
parent 66b5caede2
commit 3f4be4084c
2 changed files with 115 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Dockerfile
View File

@ -8,7 +8,7 @@ RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories
RUN apk add --no-cache bash openldap openldap-back-mdb openldap-clients
ADD samba.ldif wurley.ldif /etc/openldap/schema/
ADD acl.ldif samba.ldif wurley.ldif /etc/openldap/schema/
RUN sed -ie 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
&& sed -ie 's/openldap-data/data/' /etc/openldap/slapd.ldif \
&& mv /var/lib/openldap/openldap-data /var/lib/openldap/data \
@ -17,6 +17,7 @@ RUN sed -ie 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
&& slapadd -b cn=config -l /etc/openldap/schema/misc.ldif \
&& slapadd -b cn=config -l /etc/openldap/schema/samba.ldif \
&& slapadd -b cn=config -l /etc/openldap/schema/wurley.ldif \
&& slapmodify -b cn=config -l /etc/openldap/schema/acl.ldif \
&& chown -R ldap:ldap /etc/openldap/slapd.d /var/lib/openldap/data
# Starting

113
acl.ldif Normal file
View File

@ -0,0 +1,113 @@
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
olcAccess: to dn.base="c=au"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by * read
olcAccess: to dn.regex="o=(.*),c=(.*)$" attrs=wsAccountContact
by dnattr=wsAccountOwner read
by self write
by anonymous auth
by dnattr=wsAccountOwner read
by * read
olcAccess: to dn.regex="^o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" read
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
by dn.regex="cn=.*,ou=People,o=$1,c=$2" read
by dn.regex="cn=.*,ou=Robots,c=AU" read
by * read
olcAccess: to dn.regex="ou=(People|Customers),o=(.*),c=(.*)$" attrs=mail,uid
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
by dn.regex="cn=.*,ou=Robots,c=AU" read
by * search
olcAccess: to dn.regex="ou=(People|Customers),o=(.*),c=(.*)$" attrs=shadowLastChange
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=(People|Customers|Applications),o=(.*),c=(. *)$" attrs=mail,uid,mailRoutingAddress,mailHost,entry
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
by * read
olcAccess: to dn.regex="ou=People,o=(.*),c=(.*)$"
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
by dn.regex="cn=.*,ou=People,o=$1,c=$2" read
by dn.regex="cn=.*,ou=Robots,c=AU" read
by * read
olcAccess: to dn.regex="ou=(Customers|Groups),o=(.*),c=(.*)$"
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=Applications,o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
by dnattr=uniqueMember read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=DNS,o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=DSL,o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
by dnattr=wsAccountOwner read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=Hosts,o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=Network,o=(.*),c=(.*)$"
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=(.*),o=(.*),c=(.*)$" attrs=uniqueMember,member
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$2,c=$3" write
by dnattr=uniqueMember read
by dn.regex="cn=.*,ou=Robots,c=AU" read
olcAccess: to dn.regex="ou=(.*),o=(.*),c=(.*)$"
by self write
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by dn.regex="cn=.*,ou=Robots,c=AU" read
by dnattr=wsAccountOwner read
olcAccess: to *
by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
by * search
-
replace: olcAddContentAcl
olcAddContentAcl: FALSE
-
replace: olcLastMod
olcLastMod: TRUE
-
replace: olcMaxDerefDepth
olcMaxDerefDepth: 0
-
replace: olcReadOnly
olcReadOnly: FALSE
-
replace: olcMonitoring
olcMonitoring: FALSE