WIP Add service accounts and ACIs

2024-03-28 10:57:12 +04:00
3 changed files with 20 additions and 0 deletions
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@ -19,6 +19,18 @@ namespace :ldap do
    }, true
  end

+  # TODO
+  desc "Add application account to directory"
+  task add_application_account: :environment do |t, args|
+    # Add uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org with userPassword
+  end
+
+  # TODO
+  desc "Add application ACI/permissions for OU, i.e. read/search users"
+  task add_application_account: :environment do |t, args|
+    # (target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+  end
+
  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
    %w[ admin service_enabled nostr_key ].each do |name|
--- a/schemas/ldap/aci.ldif
+++ b/schemas/ldap/aci.ldif
@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || serviceEnabled || displayName || jpegPhoto || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
--- a/schemas/ldap/delete-aci.ldif
+++ b/schemas/ldap/delete-aci.ldif
@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+delete: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)