Add ground default aci rules

diff --git a/etc/aci/000.o=isp.txt b/etc/aci/000.o=isp.txt
index 2fb5dcfffc649def6bd7ebe76f27851e5520c2e5..31fc5aed4736eaca8fcf127610f6826e14042337 100644 (file)
--- a/etc/aci/000.o=isp.txt
+++ b/etc/aci/000.o=isp.txt
@@ -1,3 +1,17 @@
+# The aci dont care about ordering. Just DENY comes before ALLOW Rules after everrule from bottom to top has been collected.
+#
 # Enable full access to admin user: (version 3.0; acl "%s"; allow (all, export, import, proxy) (userdn = "ldap:///cn=admin"); )
-Enable read for readonly user: (version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); )
-Enable read for mail-service user: (version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=mail-service,ou=Services,o=Pixelpark,o=isp"); )
+# Not working! Deny anonymous access: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (authmethod="none")
+# Replication Manage goes around the ACI
+Deny access to aci for all: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (userdn ="ldap:///anyone");)                                                                          
+Deny self removal: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; deny (delete) (userdn ="ldap:///self");)                                                                                    
+Grand User own Data read Access: (target="ldap:///o=isp")(targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///self"); )                                                                
+Enable self write for common attributes: (target="ldap:///o=isp")(targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager
+|| photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "%s"; allow (write) (userdn="ldap:///self");)              
+Directory Administrators Group: (target="ldap:///o=isp")(targetattr ="*")(version 3.0;acl "%s";allow (all) (groupdn = "ldap:///cn=Directory Administrators,o=isp");)                                             
+Enable read for readonly user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); )                                 
+Enable read for mail-service user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=mail-service,ou=Services,o=Pixelpark,o=isp"); )
+#
+# Work in Progress
+#Allow Access for Service User to users: (target="ldap:///ou=People,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///ou=Applications,o=Pixelpark,o=isp??sub? || ldap:///ou=Services,o=Pixelpark,o=isp??sub?"); )
+#Allow Access for Service User to group: (target="ldap:///ou=Groups,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///ou=Applications,o=Pixelpark,o=isp??sub? || ldap:///ou=Services,o=Pixelpark,o=isp??sub?"); )
\ No newline at end of file