From 1a90541a807fc5f7cd07b86943d7d7baff419fd8 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Sun, 18 Jul 2021 12:50:46 +0200
Subject: [PATCH] [re2o-ldap-replica] allow nounou to bind to the ldap with
 full access

---
 .../templates/ldap/schema.ldif.j2             | 69 +++++++++++--------
 1 file changed, 42 insertions(+), 27 deletions(-)

diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
index 564a2380..c597f1f6 100644
--- a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
+++ b/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
@@ -1114,33 +1114,48 @@ objectClass: olcHdbConfig
 olcDatabase: {1}hdb
 olcDbDirectory: /var/lib/ldap
 olcSuffix: {{ re2o_ldap_replica.suffix }}
-olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * no
- ne
-olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn
- =usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * none
-olcAccess: {2}to dn.base="" by * read
-olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}" by group="cn=
- auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=re
- adonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by grou
- p="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by self r
- ead by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}"
-  read by group="cn=usermgmt,ou=services,ou=groups,dc=example,dc=or
- g" write
-olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}" by gro
- up="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group
- ="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {8}to * by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by self
-  read by group="cn=readonly,ou=services,ou=groups,dc=example,dc=or
- g" read
+olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by * none
+olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by * none
+olcAccess: {2}to dn.base=""
+        by * read
+olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+        by * read
+olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}"
+        by * read
+olcAccess: {8}to *
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
 olcLastMod: TRUE
 olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
 olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
-- 
GitLab