From e56faab5b16ef470682411137905f7315cefc3a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 12 Feb 2020 16:13:45 +0100 Subject: [PATCH 1/2] Set the ACIs on the base DN Allow users to change their own password, but nothing else (no search, no read, no write) This will only run when setting up the 389-dirsrv instance for the first time, this has been applied on barnard by editing the dn (see https://gitea.kosmos.org/kosmos/chef/issues/128#issuecomment-1542) Closes #128 --- site-cookbooks/kosmos-dirsrv/files/users.ldif | 2 ++ site-cookbooks/kosmos-dirsrv/metadata.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif index 5055e99..136fd00 100644 --- a/site-cookbooks/kosmos-dirsrv/files/users.ldif +++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif @@ -2,3 +2,5 @@ dn: ou=users,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: users +aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";) +aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";) diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb index 74140a1..b022a52 100644 --- a/site-cookbooks/kosmos-dirsrv/metadata.rb +++ b/site-cookbooks/kosmos-dirsrv/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures 389 Directory Server' long_description 'Installs/Configures 389 Directory Server' -version '0.1.1' +version '0.1.2' chef_version '>= 14.0' depends "firewall" From 5b86aca5e8566288563d2c3376f6eac365f3ad00 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sat, 15 Feb 2020 13:52:00 -0500 Subject: [PATCH 2/2] Update andromeda node info --- nodes/andromeda.kosmos.org.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json index 7affd98..f233f14 100644 --- a/nodes/andromeda.kosmos.org.json +++ b/nodes/andromeda.kosmos.org.json @@ -19,7 +19,7 @@ "automatic": { "fqdn": "andromeda.kosmos.org", "os": "linux", - "os_version": "4.15.0-50-generic", + "os_version": "4.15.0-74-generic", "hostname": "andromeda", "ipaddress": "46.4.18.160", "roles": [