From 85abfd4e5e565760fce6b6d54abe9546d2a71c92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 22 Aug 2022 16:15:02 +0200
Subject: [PATCH] Create the required groups and ACIs

---
 site-cookbooks/kosmos-dirsrv/files/acis.ldif  |  5 +--
 site-cookbooks/kosmos-dirsrv/files/users.ldif | 32 +++++++++++++++++--
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/site-cookbooks/kosmos-dirsrv/files/acis.ldif b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
index f882afc..641fce9 100644
--- a/site-cookbooks/kosmos-dirsrv/files/acis.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
@@ -1,5 +1,6 @@
+# LDAPv3                                                                                                                                                                                                                                                                                                                                                                               [0/223]
+# kosmos.org
 dn: dc=kosmos,dc=org
 changetype: modify
 replace: aci
-aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
-aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif
index 5055e99..754b6e4 100644
--- a/site-cookbooks/kosmos-dirsrv/files/users.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif
@@ -1,4 +1,32 @@
-dn: ou=users,dc=kosmos,dc=org
+# users, kosmos.org
+dn: cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalRole
+cn: users
+
+# kosmos.org, users, kosmos.org
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
-ou: users
+description: Kosmos
+ou: kosmos.org
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
+
+# 5apps.com, users, kosmos.org
+dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalUnit
+description: 5apps
+ou: 5apps.com
+aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
+
+# admin role
+dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: LDAPsubentry
+objectClass: nsRoleDefinition
+objectClass: nsComplexRoleDefinition
+objectClass: nsFilteredRoleDefinition
+cn: admin_role
+nsRoleFilter: (&(objectclass=person)(admin=true))
+description: filtered role for admins