Project

General

Profile

LDAP Member Database

Holds the member data.

Responsible Admins

  • LukyLuke
  • Exception

Dependent Services

Access Rules

New LDAP ACL as of 28.04.2013

The order is very important.

RootDn need not be mentioned as it has full access regardless of ACL.

# Other system restricted access rule
to attrs=cn,l,info,description,st,street,title,telephoneNumber,mobile,postalCode,ppsBirthDate,ppsContributionClass,ppsGender,ppsJoining,ppsLeaving,ppsPreferredNotificationMethod,c,employeeNumber,employeeType,preferredLanguage,ppsAlternateMail
 by peername.ipv6=::1 none break
 by peername.ip="127.0.0.1" none break 
 by peername.ip="10.0.0.103" none break 
 by peername.ip="172.17.3.0%255.255.255.255" none break 
 by * none stop

# Temp restricted access rule
to dn.subtree="dc=tmp,dc=piratenpartei,dc=ch" 
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by * none stop

# Password restricted access rule
to attrs=userPassword
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by self write
 by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write
 by dn.base="cn=bind,dc=piratenpartei,dc=ch" auth
 by anonymous auth
 by * none stop

# Voting right until restricted access rule
to attrs=ppsVotingRightUntil
 by group/ppsRole/roleOccupant.exact="cn=actuary,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by * read stop

# Selfservice access rule
to attrs=l,mail,mobile,postalCode,ppsBirthDate,ppsGender,ppsPreferredNotificationMethod,preferredLanguage,st,street,telephoneNumber,title,ppsAlternateMail,c
 by self write
 by * none break

# Location access rule
to dn.regex="^.*(l=[A-Za-z]+,st=[a-z]+,dc=piratenpartei,dc=ch)$" 
 by group/ppsGroup/member.expand="cn=board,$1" write
 by * none break

# State access rule
to dn.regex="^.*(st=[a-z]+,dc=piratenpartei,dc=ch)$" 
 by group/ppsGroup/member.expand="cn=board,$1" write
 by * none break

# National access rule
to dn.subtree="dc=piratenpartei,dc=ch" 
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write 
 by group/ppsGroup/member.exact="cn=Direction,cn=Board,dc=piratenpartei,dc=ch" write
 by group/ppsGroup/member.exact="cn=Presidium,cn=Board,dc=piratenpartei,dc=ch" read 
 by group/ppsGroup/member.exact="cn=FIN,dc=workgroups,dc=piratenpartei,dc=ch" read 
 by group/ppsGroup/member.exact="cn=GPK,dc=piratenpartei,dc=ch" read 
 by group/ppsRole/roleOccupant.exact="cn=Voting,cn=AnK,dc=piratenpartei,dc=ch" read
 by group/ppsRole/roleOccupant.exact="cn=President,cn=AnK,dc=piratenpartei,dc=ch" read
 by group/ppsRole/roleOccupant.exact="cn=RegistrarAssistant,cn=ROA,dc=workgroups,dc=piratenpartei,dc=ch" read
 by self read 
 by dn.base="cn=bind,dc=piratenpartei,dc=ch" read
 by dn.base="cn=redmine,dc=piratenpartei,dc=ch" read
 by anonymous auth
 by * none break

# Schema access rule
to dn.subtree="cn=subschema" 
 by users read
 by * none break

# Read access to infrastructure
to filter="(|(|(|(objectClass=ppsOrganization)(objectClass=ppsSection))(|(objectClass=ppsGroup)(objectClass=ppsRole)))(objectClass=ppsContainer))" 
 by * read

# Final no access rule
to *
 by * none stop

Also available in: PDF HTML TXT