h1. LDAP Member Database

Holds the member data.

h2. Responsible Admins

* LukyLuke
* Exception

h2. Dependent Services

* [[Services>registrationservice|RegistrationService]]
* [[Services>memberservice|MemberService]]
* [[Services>memberadmin|MemberAdmin]]
* [[Services>phpLdapAdmin|phpLdapAdmin]] (to be restricted to admins)
* -[[mdbgui:|MdbGUI]]- (phased out)
* [[Services>otrs|OTRS]]
* [[Services>SSO|SSO]] (CAS)
** [[Services>ldap|Redmine]]
** [[Services>web>homepage|Homepage]] (Drupal)
** [[Services>web>sections|Section Homepages]] (Wordpress)

h2. Access Rules

New LDAP ACL as of 28.04.2013

The *order* is very important.

_RootDn need not be mentioned as it has full access regardless of ACL._

<pre>
# Other system restricted access rule
to attrs=cn,l,info,description,st,street,title,telephoneNumber,mobile,postalCode,ppsBirthDate,ppsContributionClass,ppsGender,ppsJoining,ppsLeaving,ppsPreferredNotificationMethod,c,employeeNumber,employeeType,preferredLanguage,ppsAlternateMail
 by peername.ipv6=::1 none break
 by peername.ip="127.0.0.1" none break 
 by peername.ip="10.0.0.103" none break 
 by peername.ip="172.17.3.0%255.255.255.255" none break 
 by * none stop
 
# Temp restricted access rule
to dn.subtree="dc=tmp,dc=piratenpartei,dc=ch"
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by * none stop

# Password restricted access rule
to attrs=userPassword
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by self write
 by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write
 by dn.base="cn=bind,dc=piratenpartei,dc=ch" auth
 by anonymous auth
 by * none stop
 
# Voting right until restricted access rule
to attrs=ppsVotingRightUntil
 by group/ppsRole/roleOccupant.exact="cn=actuary,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=registrar,cn=direction,cn=board,dc=piatenpartei,dc=ch" write
 by group/ppsRole/roleOccupant.exact="cn=treasurer,cn=direction,cn=board,dc=piratenpartei,dc=ch" write
 by * read stop

# Selfservice access rule
to attrs=l,mail,mobile,postalCode,ppsBirthDate,ppsGender,ppsPreferredNotificationMethod,preferredLanguage,st,street,telephoneNumber,title,ppsAlternateMail,c
 by self write
 by * none break

# Location access rule
to dn.regex="^.*(l=[A-Za-z]+,st=[a-z]+,dc=piratenpartei,dc=ch)$"
 by group/ppsGroup/member.expand="cn=board,$1" write
 by * none break

# State access rule
to dn.regex="^.*(st=[a-z]+,dc=piratenpartei,dc=ch)$"
 by group/ppsGroup/member.expand="cn=board,$1" write
 by * none break
 
# National access rule
to dn.subtree="dc=piratenpartei,dc=ch"
 by group/ppsGroup/member.exact="cn=diradmin,cn=di,dc=workgroups,dc=piratenpartei,dc=ch" manage
 by dn.base="cn=mdbgui,dc=piratenpartei,dc=ch" write 
 by group/ppsGroup/member.exact="cn=Direction,cn=Board,dc=piratenpartei,dc=ch" write
 by group/ppsGroup/member.exact="cn=Presidium,cn=Board,dc=piratenpartei,dc=ch" read 
 by group/ppsGroup/member.exact="cn=FIN,dc=workgroups,dc=piratenpartei,dc=ch" read 
 by group/ppsGroup/member.exact="cn=GPK,dc=piratenpartei,dc=ch" read 
 by group/ppsRole/roleOccupant.exact="cn=Voting,cn=AnK,dc=piratenpartei,dc=ch" read
 by group/ppsRole/roleOccupant.exact="cn=President,cn=AnK,dc=piratenpartei,dc=ch" read
 by group/ppsRole/roleOccupant.exact="cn=RegistrarAssistant,cn=ROA,dc=workgroups,dc=piratenpartei,dc=ch" read
 by self read 
 by dn.base="cn=bind,dc=piratenpartei,dc=ch" read
 by dn.base="cn=redmine,dc=piratenpartei,dc=ch" read
 by anonymous auth
 by * none break


# Schema access rule
to dn.subtree="cn=subschema"
 by users read
 by * none break

# Read access to infrastructure
to filter="(|(|(|(objectClass=ppsOrganization)(objectClass=ppsSection))(|(objectClass=ppsGroup)(objectClass=ppsRole)))(objectClass=ppsContainer))"
 by * read

# Final no access rule
to *
 by * none stop
</pre>