summaryrefslogtreecommitdiffstats
path: root/install/updates/40-delegation.update
diff options
context:
space:
mode:
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r--install/updates/40-delegation.update124
1 files changed, 124 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
new file mode 100644
index 000000000..307fb8cd9
--- /dev/null
+++ b/install/updates/40-delegation.update
@@ -0,0 +1,124 @@
+# Add the default roles
+
+dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: helpdesk
+add:description: Helpdesk
+
+dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: useradmin
+add:description: User Administrators
+
+dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: groupadmin
+add:description: Group Administrators
+
+dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: hostadmin
+add:description: Host Administrators
+
+dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: delegationadmin
+add:description: Role administration
+
+dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: serviceadmin
+add:description: Service Administrators
+
+dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: automountadmin
+add:description: Automount Administrators
+
+dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: netgroupadmin
+add:description: Netgroups Administrators
+
+dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:objectClass: nestedgroup
+add:cn: useradmins
+add:description: User Administrators
+
+# Add the taskgroups referenced by the ACIs for user administration
+
+dn: cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: nsContainer
+add:objectClass: top
+add:cn: taskgroups
+
+dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: addusers
+add:description: Add Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: change_password
+add:description: Change a user password
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: add_user_to_default_group
+add:description: Add user to default group
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: removeusers
+add:description: Remove Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: modifyusers
+add:description: Modify Users
+add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"
+
+# Add the ACIs that grant these permissions for user administration
+
+dn: $SUFFIX
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+ 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
+ ,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
+ aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
+ te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
+ ";)
+add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
+ ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
+ te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
+ ,$SUFFIX";)
+add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
+ 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
+ askgroups,cn=accounts,$SUFFIX";)
+add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials
+ || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
+ umber || telephoneNumber || street || roomNumber || l || st || postalCode ||
+ manager || secretary || description || carLicense || labeledURI || inetUserHT
+ TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
+ //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
+ s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";)
+
generated by cgit (git 2.34.1) at 2024-04-26 06:29:15 +0000