change ldap base dn entries to use variables
This commit is contained in:
parent
53cacdcb2e
commit
40abdfca64
1 changed files with 15 additions and 10 deletions
|
|
@ -51,18 +51,18 @@ TLSCipherSuite {{ tls_ciphers }}
|
|||
TLSProtocolMin 3.3
|
||||
|
||||
#####################################################################
|
||||
# database dc=foo,dc=sh configurations
|
||||
# database {{ ldap_basedn }} configurations
|
||||
#####################################################################
|
||||
|
||||
database mdb
|
||||
# 1GB i guess we don't go beyond this
|
||||
maxsize 1073741824
|
||||
|
||||
suffix "dc=foo,dc=sh"
|
||||
rootdn "cn=manager,dc=foo,dc=sh"
|
||||
suffix "{{ ldap_basedn }}"
|
||||
rootdn "cn=manager,{{ ldap_basedn }}"
|
||||
|
||||
overlay ppolicy
|
||||
ppolicy_default cn=pwdPolicy,ou=System,dc=foo,dc=sh
|
||||
ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
|
||||
ppolicy_hash_cleartext
|
||||
ppolicy_use_lockout
|
||||
password-hash {CRYPT}
|
||||
|
|
@ -74,7 +74,7 @@ syncprov-sessionlog 100
|
|||
|
||||
overlay constraint
|
||||
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
|
||||
constraint_attribute uniqueMember uri ldap:///ou=People,dc=foo,dc=sh?entryDN?one?(objectClass=inetOrgPerson)
|
||||
constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
|
||||
|
||||
# database directory
|
||||
# chmod 700 so ldap:ldap can create encrypted backups with group readable
|
||||
|
|
@ -87,11 +87,11 @@ index entryCSN,entryUUID,objectClass eq
|
|||
# map root user to manager when authenticating via socket
|
||||
authz-regexp
|
||||
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||
"cn=manager,dc=foo,dc=sh"
|
||||
"cn=manager,{{ ldap_basedn }}"
|
||||
# map rest of users authenticating via socket to correct ldap entries
|
||||
authz-regexp
|
||||
"gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
|
||||
"ldap:///dc=foo,dc=sh??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
||||
"ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
||||
|
||||
# require authentication for authenticated users that don't match above
|
||||
access to *
|
||||
|
|
@ -104,20 +104,25 @@ access to attrs=userPassword
|
|||
by self write
|
||||
by * compare
|
||||
|
||||
# allow kerberos to read own objects
|
||||
access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
|
||||
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
||||
by * none
|
||||
|
||||
# allow group owners to edit members
|
||||
access to dn.one=ou=Groups,dc=foo,dc=sh filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
||||
access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
||||
by dnattr=owner write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# allow self to change login shell
|
||||
access to dn.one=ou=People,dc=foo,dc=sh attrs=loginShell
|
||||
access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
|
||||
by self write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# block rest of queries to ou=System tree
|
||||
access to dn.sub=ou=System,dc=foo,dc=sh
|
||||
access to dn.sub=ou=System,{{ ldap_basedn }}
|
||||
by * none
|
||||
|
||||
# for the rest allow users to read and block rest
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue