directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-core git commit: FC-133 - Change audit flags - fix ACLs
Date Tue, 09 Feb 2016 22:23:19 GMT
Repository: directory-fortress-core
Updated Branches:
  refs/heads/master 92e329fa2 -> df91b2a1c


FC-133 - Change audit flags - fix ACLs


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/df91b2a1
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/df91b2a1
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/df91b2a1

Branch: refs/heads/master
Commit: df91b2a1c302cff01a7ed89682b9f2b89f968889
Parents: 92e329f
Author: Shawn McKinney <smckinney@apache.org>
Authored: Tue Feb 9 06:05:14 2016 -0600
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Tue Feb 9 06:05:14 2016 -0600

----------------------------------------------------------------------
 ldap/slapd.conf.src | 69 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 45 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/df91b2a1/ldap/slapd.conf.src
----------------------------------------------------------------------
diff --git a/ldap/slapd.conf.src b/ldap/slapd.conf.src
index d043419..54bf681 100755
--- a/ldap/slapd.conf.src
+++ b/ldap/slapd.conf.src
@@ -53,32 +53,53 @@ moduleload  accesslog.la
 @DDS_MODULE@
 @MONITOR_MODULE@
 
-### ACLs
-@IS_RBAC_ACCELERATOR@access to dn="" by * read
-@IS_RBAC_ACCELERATOR@access to *
-@IS_RBAC_ACCELERATOR@	by self write
-@IS_RBAC_ACCELERATOR@	by users read
-@IS_RBAC_ACCELERATOR@	by anonymous auth
-@IS_RBAC_ACCELERATOR@	by sockurl="^ldapi:///$" write
-
-### This one allows user to modify their own password (needed for pw policies):
-### This also allows user to modify their own ftmod attributes (needed for audit):
-access to attrs=userpassword
-         by self write
-         by * auth
-
-### Must allow access to dn.base to read supported features on this directory:
-access to dn.base="" by * read
-access to dn.base="cn=Subschema" by * read
+# ACLS:
+access to dn.base=""
+  by * read
+
+# LDAPv3 Schema
+access to dn.base="cn=subschema"
+  by * read
+
+# Internal OpenLDAP config backend
+access to dn.subtree="cn=config"
+  by * none
+
+# Monitor backend
+@IS_RBAC_ACCELERATOR@access to dn.subtree="cn=monitor"
+@IS_RBAC_ACCELERATOR@  by dn.base="@ROOT_DN@" write
+@IS_RBAC_ACCELERATOR@  by users read
+
+# Generic overall privilege
 access to *
-	by self write
-	by anonymous auth
+  by anonymous auth
+  by dn.base="@ROOT_DN@" manage
+  by * break
+
+# Password should be protected, allow user to modify their own audit attributes.
+access to attrs=userPassword,ftModifier,ftModCode,ftModId
+  by self =wx
+  by * none
+
+# Self-readable password policy info
+access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry
+  by self read
+  by * none
+
+# Admin-only password policy info
+access to attrs=pwdAccountLockedTime,pwdHistory
+  by * none
+
+# Users may read their own attributes
+access to attrs=@inetorgperson
+  by users read
+  by * none
+
+access to attrs=@shadowAccount
+  by * none
+
+access to * by users read
 
-### Disable null base search of rootDSE
-### This disables auto-discovery capabilities of clients.
-# Changed -> access to dn.base="" by * read <- to the following:
-access to dn.base=""
-     by * none
 password-hash {SSHA}
 
 #######################################################################


Mime
View raw message