diff options
Diffstat (limited to 'install/updates/30-provisioning.update')
-rw-r--r-- | install/updates/30-provisioning.update | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update index a32312b71..f1666ff3a 100644 --- a/install/updates/30-provisioning.update +++ b/install/updates/30-provisioning.update @@ -18,9 +18,31 @@ default: cn: staged users dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX default: objectclass: top default: objectclass: nsContainer -default: cn: staged users +default: cn: deleted users # This is used for the admin to know if credential are set for stage users -# We can do a query on a DN to see if an attribute exists. +# We can do a query on a DN to see if an attribute exists or retrieve the value dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX -add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) +add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) + +# This is used for the admin to reset the delete users credential +dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX +add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) +add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";) + +dn: cn=provisioning accounts lock,cn=accounts,cn=provisioning,$SUFFIX +default: objectClass: top +default: objectClass: cosSuperDefinition +default: objectClass: cosPointerDefinition +default: objectClass: ldapSubEntry +default: costemplatedn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX +default: cosAttribute: nsaccountlock operational +default: cn: provisioning accounts lock + +dn: cn=Inactivation cos template,cn=accounts,cn=provisioning,$SUFFIX +default: objectClass: top +default: objectClass: extensibleObject +default: objectClass: cosTemplate +default: cosPriority: 1 +default: cn: Inactivation cos template +default: nsAccountLock: true |