# The aci dont care about ordering. Just DENY comes before ALLOW Rules after everrule from bottom to top has been collected.
#
+# Only for Data that is needed for the Applications. Create for each Application a new OU. The service user to read the data must be located under ou=services,O=Pixelpark,o=isp.
+# Only for serivce users to read data. Additional data for the application must be located under ou=Applications,o=Pixelpark,o=isp.
+#
# Enable full access to admin user: (version 3.0; acl "%s"; allow (all, export, import, proxy) (userdn = "ldap:///cn=admin"); )
# Not working! Deny anonymous access: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (authmethod="none")
# Replication Manage goes around the ACI
Directory Administrators Group: (target="ldap:///o=isp")(targetattr ="*")(version 3.0;acl "%s";allow (all) (groupdn = "ldap:///cn=Directory Administrators,o=isp");)
Enable read for readonly user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); )
Enable read for mail-service user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=mail-service,ou=Services,o=Pixelpark,o=isp"); )
+# CRM Geraffel:
+PxP IntraNet WebServer Authentification: (target = "ldap:///o=Pixelpark,o=isp") (targetattr = "mail || ppApplicationRight || uid || gidNumber || uniqueMember || givenName || ppCostCenter || employeeNumber || sn || ou || objectClass || o || cn") (version 3.0;acl "%s";allow (read,compare,search,selfwrite)(userdn = "ldap:///uid=wwwadm, ou=WWWServer, ou=Applications, o=Pixelpark,o=isp");)
+PxP Confluence-CRM read: (target = "ldap:///ou=People,o=Pixelpark,o=isp") (targetattr = "mail || ppApplicationRight || telephoneNumber || uid || givenName || mobile || sn || objectClass || cn") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=confluence-crm, ou=Confluence,ou=Applications, o=Pixelpark,o=isp");)
+PxP CRM read: (target = "ldap:///ou=People,o=Pixelpark,o=isp")(targetattr = "mail || ppApplicationRight || telephoneNumber || uid || givenName || mobile || sn || ou || inetUserStatus || objectClass || cn || l") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications, o=Pixelpark,o=isp");)
+PxP CRM read: (target = "ldap:///ou=Groups,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications,o=Pixelpark,o=isp");)
+PxP CRM read-write: (target = "ldap:///ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,search)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications,o=Pixelpark,o=isp");)
+PxP CRM Read-Write: (target = "ldap:///ou=People,ou=CRM,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (all)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications,o=Pixelpark,o=isp");)
+PxP Confluence-CRM read: (target = "ldap:///ou=People,ou=CRM,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=confluence-crm,ou=Confluence,ou=Applications,o=Pixelpark,o=isp");)
+PxP CRM read-write: (target = "ldap:///ou=People,ou=CRM,ou=Applications,o=Pixelpark,o=isp") (targetattr = "userPassword") (version 3.0;acl "%s";allow (read,search)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications,o=Pixelpark,o=isp");)
+PxP CRM read-write: (target = "ldap:///ou=CRM-Groups,ou=Confluence,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (all)(userdn = "ldap:///uid=crm,ou=CRM,ou=Applications,o=Pixelpark,o=isp");)
+PxP Confluence-CRM read: (target = "ldap:///ou=CRM-Groups,ou=Confluence,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=confluence-crm,ou=Confluence,ou=Applications,o=Pixelpark,o=isp");)
+# Solaris NSS + radius
+Read Radius Rofiles: (target = "ldap:///ou=RadiusProfiles,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (targetfilter = (objectclass=radiusProfile)) (version 3.0;acl "%s";allow (all)(userdn = "ldap:///uid=ascend, ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp");)
+PxP Ascend Authetification: (target = "ldap:///ou=People, o=Pixelpark,o=isp") (targetattr = "uid || objectClass") (targetfilter = objectclass=ppCallinAccount) (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=ascend, ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp");)
+PxP Solaris Read: (target = "ldap:///ou=People, o=Pixelpark,o=isp") (targetfilter = objectclass=posixaccount) (targetattr = "shadowInactive || shadowFlag || uidNumber || description || uid || gidNumber || shadowWarning || homeDirectory || gecos || shadowLastChange || shadowMin || shadowExpire || shadowMax || objectClass || cn || userPassword || loginShell") (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///uid=Solaris_NSS, ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp");)
#
-# Work in Progress
-#Allow Access for Service User to users: (target="ldap:///ou=People,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///ou=Applications,o=Pixelpark,o=isp??sub? || ldap:///ou=Services,o=Pixelpark,o=isp??sub?"); )
-#Allow Access for Service User to group: (target="ldap:///ou=Groups,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///ou=Applications,o=Pixelpark,o=isp??sub? || ldap:///ou=Services,o=Pixelpark,o=isp??sub?"); )
\ No newline at end of file
+# This Rule is not allowed
+#Solaris Profile Read: (target = "ldap:///ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp") (targetattr = "*") (targetfilter = objectclass=DUAConfigProfile) (version 3.0;acl "%s";allow (read,compare,search)(userdn = "ldap:///anyone");)
+Solaris Read_Write: (target = "ldap:///ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (all)(userdn = "ldap:///uid=Solaris_NSS, ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp");)
+NSmanager: (target = "ldap:///ou=Unix NSS, ou=Applications, o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (all)(groupdn = "ldap:///cn=NIS-Admin, ou=Groups, o=Pixelpark,o=isp");)
+# ou=service_sp
+ILom read: (target = "ldap:///ou=service_sp,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,search)(userdn = "ldap:///uid=Solaris_NSS,ou=Unix NSS,ou=Applications,o=pixelpark,o=isp");)
+grp read: (target = "ldap:///cn=iDracAdminGroup,ou=service_sp,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (read,search)(userdn = "ldap:///uid=root_*,ou=service_sp,ou=Applications,o=Pixelpark,o=isp");)
+# baracuda
+Barracuda read/write: (target = "ldap:///ou=barracuda,ou=Applications,o=Pixelpark,o=isp") (targetattr = "*") (version 3.0;acl "%s";allow (all)(userdn = "ldap:///uid=barracuda,ou=barracuda,ou=Applications, o=Pixelpark,o=isp");)
\ No newline at end of file
projects / pixelpark / ldap-migration.git / commitdiff