Merge branch 'master' into feature/123-ejabberd_5apps

Allow users to change their own password, but nothing else (no search,
no read, no write)

This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment))

Closes #128

nodes/andromeda.kosmos.org.json

@@ -19,7 +19,7 @@
   "automatic": {
     "fqdn": "andromeda.kosmos.org",
     "os": "linux",
-    "os_version": "4.15.0-50-generic",
+    "os_version": "4.15.0-74-generic",
     "hostname": "andromeda",
     "ipaddress": "46.4.18.160",
     "roles": [

site-cookbooks/kosmos-dirsrv/files/users.ldif

@@ -2,3 +2,5 @@ dn: ou=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: users
+aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)

site-cookbooks/kosmos-dirsrv/metadata.rb

@@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license 'MIT'
 description 'Installs/Configures 389 Directory Server'
 long_description 'Installs/Configures 389 Directory Server'
-version '0.1.1'
+version '0.1.2'
 chef_version '>= 14.0'
 
 depends "firewall"