From 6c917dc6968cea6c43e47605cfcdb1b5ed80e35c Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 31 May 2019 02:31:58 +0300
Subject: [PATCH] add acl's for kadmin user

---
 roles/ldap/server/templates/slapd.conf.j2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2
index b7618f5..43e0381 100644
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@@ -106,8 +106,15 @@ access to attrs=userPassword
     by self write
     by * compare
 
+# allow kerberos to write password changes
+access to attrs=krbPrincipalKey,krbExtraData,krbLoginFailedCount,krbTicketFlags,krbPasswordExpiration,krbLastPwdChange
+    by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" write
+    by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
+    by * none
+
 # allow kerberos to read own objects
 access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
+    by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
     by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
     by * none