WIP Add service accounts and ACIs

lib/tasks/ldap.rake

@@ -19,6 +19,18 @@ namespace :ldap do
     }, true
   end
 
+  # TODO
+  desc "Add application account to directory"
+  task add_application_account: :environment do |t, args|
+    # Add uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org with userPassword
+  end
+
+  # TODO
+  desc "Add application ACI/permissions for OU, i.e. read/search users"
+  task add_application_account: :environment do |t, args|
+    # (target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+  end
+
   desc "Add custom attributes to schema"
   task add_custom_attributes: :environment do |t, args|
     %w[ admin service_enabled nostr_key ].each do |name|

schemas/ldap/aci.ldif

@@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || serviceEnabled || displayName || jpegPhoto || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)

schemas/ldap/delete-aci.ldif

@@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+delete: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)