Create the required groups and ACIs
This commit is contained in:
parent
80c3e4e270
commit
85abfd4e5e
|
@ -1,5 +1,6 @@
|
|||
# LDAPv3 [0/223]
|
||||
# kosmos.org
|
||||
dn: dc=kosmos,dc=org
|
||||
changetype: modify
|
||||
replace: aci
|
||||
aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
|
||||
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
|
||||
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
|
||||
|
|
|
@ -1,4 +1,32 @@
|
|||
dn: ou=users,dc=kosmos,dc=org
|
||||
# users, kosmos.org
|
||||
dn: cn=users,dc=kosmos,dc=org
|
||||
objectClass: top
|
||||
objectClass: organizationalRole
|
||||
cn: users
|
||||
|
||||
# kosmos.org, users, kosmos.org
|
||||
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
description: Kosmos
|
||||
ou: kosmos.org
|
||||
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
|
||||
|
||||
# 5apps.com, users, kosmos.org
|
||||
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
description: 5apps
|
||||
ou: 5apps.com
|
||||
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
|
||||
|
||||
# admin role
|
||||
dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
|
||||
objectClass: top
|
||||
objectClass: LDAPsubentry
|
||||
objectClass: nsRoleDefinition
|
||||
objectClass: nsComplexRoleDefinition
|
||||
objectClass: nsFilteredRoleDefinition
|
||||
cn: admin_role
|
||||
nsRoleFilter: (&(objectclass=person)(admin=true))
|
||||
description: filtered role for admins
|
||||
|
|
Loading…
Reference in New Issue