LDAP Member Database¶
Holds the member data.
Responsible Admins¶
- LukyLuke
- Exception
Dependent Services¶
- RegistrationService
- MemberService
- MemberAdmin
- phpLdapAdmin (to be restricted to admins)
MdbGUI(phased out)- OTRS
- SSO (CAS)
- Redmine
- Homepage (Drupal)
- Section Homepages (Wordpress)
Access Rules¶
New LDAP ACL as of 28.04.2013
The order is very important.
RootDn need not be mentioned as it has full access regardless of ACL.
# Other system restricted access rule to attrs=cn,l,info,description,st,street,title,telephoneNumber,mobile,postalCode,ppsBirthDate,ppsContributionClass,ppsGender,ppsJoining,ppsLeaving,ppsPreferredNotificationMethod,c,employeeNumber,employeeType,preferredLanguage,ppsAlternateMail by peername.ipv6=::1 none break by peername.ip="127.0.0.1" none break by peername.ip="10.0.0.103" none break by peername.ip="172.17.3.0%255.255.255.255" none break by * none stop # Temp restricted access rule to dn.subtree="dc=tmp,dc=piratenpartei,dc=ch" by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write by * none stop # Password restricted access rule to attrs=userPassword by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage by self write by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write by dn.base="cn=bind,dc=piratenpartei,dc=ch" auth by anonymous auth by * none stop # Voting right until restricted access rule to attrs=ppsVotingRightUntil by group/ppsRole/roleOccupant.exact="cn=actuary,cn=direction,cn=board,dc=piratenpartei,dc=ch" write by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write by * read stop # Selfservice access rule to attrs=l,mail,mobile,postalCode,ppsBirthDate,ppsGender,ppsPreferredNotificationMethod,preferredLanguage,st,street,telephoneNumber,title,ppsAlternateMail,c by self write by * none break # Location access rule to dn.regex="^.*(l=[A-Za-z]+,st=[a-z]+,dc=piratenpartei,dc=ch)$" by group/ppsGroup/member.expand="cn=board,$1" write by * none break # State access rule to dn.regex="^.*(st=[a-z]+,dc=piratenpartei,dc=ch)$" by group/ppsGroup/member.expand="cn=board,$1" write by * none break # National access rule to dn.subtree="dc=piratenpartei,dc=ch" by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write by group/ppsGroup/member.exact="cn=Direction,cn=Board,dc=piratenpartei,dc=ch" write by group/ppsGroup/member.exact="cn=Presidium,cn=Board,dc=piratenpartei,dc=ch" read by group/ppsGroup/member.exact="cn=FIN,dc=workgroups,dc=piratenpartei,dc=ch" read by group/ppsGroup/member.exact="cn=GPK,dc=piratenpartei,dc=ch" read by group/ppsRole/roleOccupant.exact="cn=Voting,cn=AnK,dc=piratenpartei,dc=ch" read by group/ppsRole/roleOccupant.exact="cn=President,cn=AnK,dc=piratenpartei,dc=ch" read by group/ppsRole/roleOccupant.exact="cn=RegistrarAssistant,cn=ROA,dc=workgroups,dc=piratenpartei,dc=ch" read by self read by dn.base="cn=bind,dc=piratenpartei,dc=ch" read by dn.base="cn=redmine,dc=piratenpartei,dc=ch" read by anonymous auth by * none break # Schema access rule to dn.subtree="cn=subschema" by users read by * none break # Read access to infrastructure to filter="(|(|(|(objectClass=ppsOrganization)(objectClass=ppsSection))(|(objectClass=ppsGroup)(objectClass=ppsRole)))(objectClass=ppsContainer))" by * read # Final no access rule to * by * none stop