Skip to content

Improvement on ACLs for root #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Improvement on ACLs for root #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
303f659
Review root privileges on cn=config and cn=monitor
coudot May 21, 2025
7d52f46
Give root manage rights on all data
coudot May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions playbook/multimaster.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,9 @@
ldaptoolbox_olcPasswordHash: "{SSHA256}"
# Access rights
ldaptoolbox_openldap_access_list:
- to attrs=userPassword by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" =wxd by group/groupOfNames/member.exact="cn=admin,ou=groups,{{ ldaptoolbox_openldap_suffix }}" =wxd by dn.base="uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" read by self =wxd by * auth
- to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by group/groupOfNames/member.exact="cn=admin,ou=groups,{{ ldaptoolbox_openldap_suffix }}" write by users read
- to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
- to attrs=userPassword by group/groupOfNames/member.exact="cn=admin,ou=groups,{{ ldaptoolbox_openldap_suffix }}" =wxd by dn.base="uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" read by self =wxd by * auth
- to * by group/groupOfNames/member.exact="cn=admin,ou=groups,{{ ldaptoolbox_openldap_suffix }}" write by users read
# Indexes definition
ldaptoolbox_openldap_database_olcDbIndexes:
- "entryCSN,entryUUID eq"
Expand Down
5 changes: 2 additions & 3 deletions templates/var/backups/openldap/config.ldif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,7 @@ olcSortVals: {{ ldaptoolbox_openldap_olcSortVals }}
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to attrs=userPassword by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" =wxd by * auth
olcAccess: {1}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcLastBind: TRUE
Expand Down Expand Up @@ -202,7 +201,7 @@ objectClass: olcDatabaseConfig
olcDatabase: {2}monitor
olcRootDN: {{ ldaptoolbox_openldap_monitor_olcRootDN }}
olcRootPW: {{ ldaptoolbox_openldap_monitor_olcRootPW_hash }}
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcLastBind: TRUE
Expand Down