From 70969a4a4ce6bc390d0b501320593ad8c454dd84 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 3 Mar 2022 16:58:14 +0100 Subject: [PATCH] Fixing misformatted ACIs --- etc/aci/000.o=isp.txt | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/etc/aci/000.o=isp.txt b/etc/aci/000.o=isp.txt index c57a5c8..603fd1f 100644 --- a/etc/aci/000.o=isp.txt +++ b/etc/aci/000.o=isp.txt @@ -6,13 +6,12 @@ # Enable full access to admin user: (version 3.0; acl "%s"; allow (all, export, import, proxy) (userdn = "ldap:///cn=admin"); ) # Not working! Deny anonymous access: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (authmethod="none") # Replication Manage goes around the ACI -Deny access to aci for all: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (userdn ="ldap:///anyone");) -Deny self removal: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; deny (delete) (userdn ="ldap:///self");) -Grand User own Data read Access: (target="ldap:///o=isp")(targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///self"); ) -Enable self write for common attributes: (target="ldap:///o=isp")(targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager -|| photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "%s"; allow (write) (userdn="ldap:///self");) -Directory Administrators Group: (target="ldap:///o=isp")(targetattr ="*")(version 3.0;acl "%s";allow (all) (groupdn = "ldap:///cn=Directory Administrators,o=isp");) -Enable read for readonly user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); ) +Deny access to aci for all: (target="ldap:///o=isp")(targetattr = "aci")(version 3.0; acl "%s"; deny (all) (userdn ="ldap:///anyone");) +Deny self removal: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; deny (delete) (userdn ="ldap:///self");) +Grand User own Data read Access: (target="ldap:///o=isp")(targetattr = "*") (version 3.0; acl "%s"; allow (read,search)(userdn="ldap:///self"); ) +Enable self write for common attributes: (target="ldap:///o=isp")(targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "%s"; allow (write) (userdn="ldap:///self");) +Directory Administrators Group: (target="ldap:///o=isp")(targetattr ="*")(version 3.0;acl "%s";allow (all) (groupdn = "ldap:///cn=Directory Administrators,o=isp");) +Enable read for readonly user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=readonly,ou=People,o=isp"); ) Enable read for mail-service user: (target="ldap:///o=isp")(targetattr = "*")(version 3.0; acl "%s"; allow (read, search, compare)(userdn="ldap:///uid=mail-service,ou=Services,o=Pixelpark,o=isp"); ) # CRM Geraffel: PxP IntraNet WebServer Authentification: (target = "ldap:///o=Pixelpark,o=isp") (targetattr = "mail || ppApplicationRight || uid || gidNumber || uniqueMember || givenName || ppCostCenter || employeeNumber || sn || ou || objectClass || o || cn") (version 3.0;acl "%s";allow (read,compare,search,selfwrite)(userdn = "ldap:///uid=wwwadm, ou=WWWServer, ou=Applications, o=Pixelpark,o=isp");) -- 2.39.5