Create the required groups and ACIs

2022-08-22 16:15:02 +02:00 · 2022-08-22 16:15:02 +02:00 · 85abfd4e5e
parent 80c3e4e270
commit 85abfd4e5e
2 changed files with 33 additions and 4 deletions
--- a/site-cookbooks/kosmos-dirsrv/files/acis.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
@ -1,5 +1,6 @@
+# LDAPv3                                                                                                                                                                                                                                                                                                                                                                               [0/223]
+# kosmos.org
 dn: dc=kosmos,dc=org
 changetype: modify
 replace: aci
-aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
-aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
--- a/site-cookbooks/kosmos-dirsrv/files/users.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif
@ -1,4 +1,32 @@
-dn: ou=users,dc=kosmos,dc=org
+# users, kosmos.org
+dn: cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalRole
+cn: users
+
+# kosmos.org, users, kosmos.org
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
-ou: users
+description: Kosmos
+ou: kosmos.org
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
+
+# 5apps.com, users, kosmos.org
+dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalUnit
+description: 5apps
+ou: 5apps.com
+aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
+
+# admin role
+dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: LDAPsubentry
+objectClass: nsRoleDefinition
+objectClass: nsComplexRoleDefinition
+objectClass: nsFilteredRoleDefinition
+cn: admin_role
+nsRoleFilter: (&(objectclass=person)(admin=true))
+description: filtered role for admins