From da549daaaa069e225f2ba05338cda5557df0e314 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 11 Sep 2020 14:45:11 +0000
Subject: [PATCH] ldap/server: Add ACL support for netgroups

---
 roles/ldap/server/templates/slapd.conf.j2 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2
index 0fd38b7..2deba52 100644
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@@ -168,6 +168,17 @@ access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
     by users read
     by * none
 
+# allow reads to netgroups
+#   TODO: change that only sysadm + host certs can read
+access to dn.sub=ou=Netgroup,ou=System,{{ ldap_basedn }}
+    by users read
+    by * none
+
+# allow reads to ou=System object itself
+access to dn.base=ou=System,{{ ldap_basedn }}
+    by users read
+    by * none
+
 # block rest of queries to ou=System tree
 access to dn.sub=ou=System,{{ ldap_basedn }}
     by * none