install/updates/40-delegation.update


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

# Add the default roles 

dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: helpdesk
add:description: Helpdesk

dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: useradmin
add:description: User Administrators

dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: groupadmin
add:description: Group Administrators

dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: hostadmin
add:description: Host Administrators

dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: delegationadmin
add:description: Role administration

dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: serviceadmin
add:description: Service Administrators

dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: automountadmin
add:description: Automount Administrators

dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: netgroupadmin
add:description: Netgroups Administrators

dn: cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:objectClass: nestedgroup
add:cn: useradmins
add:description: User Administrators

# Add the taskgroups referenced by the ACIs for user administration

dn: cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: nsContainer
add:objectClass: top
add:cn: taskgroups

dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: addusers
add:description: Add Users
add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"

dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: change_password
add:description: Change a user password
add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"

dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: add_user_to_default_group
add:description: Add user to default group
add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"

dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: removeusers
add:description: Remove Users
add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"

dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: groupofnames
add:cn: modifyusers
add:description: Modify Users
add:member:"cn=useradmins,cn=rolegroups,cn=accounts,$SUFFIX"

# Add the ACIs that grant these permissions for user administration

dn: $SUFFIX
add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
  3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups
 ,cn=accounts,$SUFFIX";)
add:aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb
 aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri
 te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX
 ";)
add:aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun
 ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri
 te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts
 ,$SUFFIX";)
add:aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
  3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t
 askgroups,cn=accounts,$SUFFIX";)
add:aci: (targetattr = "givenName || sn || cn || displayName || title || initials 
 || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN
 umber || telephoneNumber || street || roomNumber || l || st || postalCode || 
 manager || secretary || description || carLicense || labeledURI || inetUserHT
 TPURL || seeAlso || employeeType || businessCategory || ou")(target = "ldap:/
 //uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify User
 s";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,$SUFFIX";)