From e56faab5b16ef470682411137905f7315cefc3a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 12 Feb 2020 16:13:45 +0100 Subject: [PATCH] Set the ACIs on the base DN Allow users to change their own password, but nothing else (no search, no read, no write) This will only run when setting up the 389-dirsrv instance for the first time, this has been applied on barnard by editing the dn (see https://gitea.kosmos.org/kosmos/chef/issues/128#issuecomment-1542) Closes #128 --- site-cookbooks/kosmos-dirsrv/files/users.ldif | 2 ++ site-cookbooks/kosmos-dirsrv/metadata.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif index 5055e99..136fd00 100644 --- a/site-cookbooks/kosmos-dirsrv/files/users.ldif +++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif @@ -2,3 +2,5 @@ dn: ou=users,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: users +aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";) +aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";) diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb index 74140a1..b022a52 100644 --- a/site-cookbooks/kosmos-dirsrv/metadata.rb +++ b/site-cookbooks/kosmos-dirsrv/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures 389 Directory Server' long_description 'Installs/Configures 389 Directory Server' -version '0.1.1' +version '0.1.2' chef_version '>= 14.0' depends "firewall"