mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
7f085e8b8b
for anyone, and since LDAP additions now check for attribute write access, the addition now fails. Allowing objectClass write access for the user that performs the LDAP addtition fixes the problem. Approved by ando@
149 lines
5.5 KiB
Plaintext
149 lines
5.5 KiB
Plaintext
# master slapd config -- for testing
|
|
# $OpenLDAP$
|
|
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
##
|
|
## Copyright 1998-2008 The OpenLDAP Foundation.
|
|
## All rights reserved.
|
|
##
|
|
## Redistribution and use in source and binary forms, with or without
|
|
## modification, are permitted only as authorized by the OpenLDAP
|
|
## Public License.
|
|
##
|
|
## A copy of this license is available in the file LICENSE in the
|
|
## top-level directory of the distribution or, alternatively, at
|
|
## <http://www.OpenLDAP.org/license.html>.
|
|
|
|
include @SCHEMADIR@/core.schema
|
|
include @SCHEMADIR@/cosine.schema
|
|
include @SCHEMADIR@/inetorgperson.schema
|
|
include @SCHEMADIR@/openldap.schema
|
|
include @SCHEMADIR@/nis.schema
|
|
pidfile @TESTDIR@/slapd.1.pid
|
|
argsfile @TESTDIR@/slapd.1.args
|
|
|
|
# global ACLs
|
|
#
|
|
# normal installations should protect root dse, cn=monitor, cn=subschema
|
|
#
|
|
|
|
access to dn.exact="" attrs=objectClass
|
|
by users read
|
|
access to *
|
|
by * read
|
|
|
|
#mod#modulepath ../servers/slapd/back-@BACKEND@/
|
|
#mod#moduleload back_@BACKEND@.la
|
|
#monitormod#modulepath ../servers/slapd/back-monitor/
|
|
#monitormod#moduleload back_monitor.la
|
|
|
|
#######################################################################
|
|
# database definitions
|
|
#######################################################################
|
|
|
|
database @BACKEND@
|
|
|
|
suffix "dc=example,dc=com"
|
|
directory @TESTDIR@/db.1.a
|
|
rootdn "cn=Manager,dc=example,dc=com"
|
|
rootpw secret
|
|
#bdb#index objectClass eq
|
|
#bdb#index cn,sn,uid pres,eq,sub
|
|
#hdb#index objectClass eq
|
|
#hdb#index cn,sn,uid pres,eq,sub
|
|
#ndb#dbname db_1
|
|
#ndb#include @DATADIR@/ndb.conf
|
|
|
|
#access to attrs=objectclass dn.subtree="dc=example,dc=com"
|
|
access to attrs=objectclass
|
|
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
|
|
by * =rsc stop
|
|
|
|
#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
|
|
access to filter="(objectclass=person)" attrs=userpassword
|
|
by anonymous auth
|
|
by self =wx
|
|
|
|
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
|
|
attrs=cn val="Mark A Elliot"
|
|
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by * break
|
|
|
|
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
|
|
attrs=cn val="Mark Elliot"
|
|
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by * break
|
|
|
|
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
|
|
attrs=cn
|
|
by * search
|
|
|
|
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
attrs=cn val.regex="^John D.+"
|
|
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by * break
|
|
|
|
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
attrs=cn val.regex="^Jonath.+"
|
|
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by * break
|
|
|
|
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
attrs=cn
|
|
by * search
|
|
|
|
access to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
filter="(cn=*Jensen)"
|
|
attrs=cn val.regex=".*Jensen$"
|
|
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
|
|
by * break
|
|
|
|
access to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
attrs=cn
|
|
by * search
|
|
|
|
access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
|
|
by dn.regex=".+,dc=example,dc=com" +c continue
|
|
by dn.subtree="dc=example,dc=com" +rs continue
|
|
by dn.children="dc=example,dc=com" +d continue
|
|
by * stop
|
|
|
|
#access to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
|
|
access to attrs=member,uniquemember
|
|
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
|
|
by dnattr=member selfwrite
|
|
by dnattr=uniquemember selfwrite
|
|
by * read
|
|
|
|
#access to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
|
|
access to attrs=member,uniquemember filter="(mail=*com)"
|
|
by * read
|
|
|
|
#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
|
|
access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
|
|
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
|
|
by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
|
|
by * break
|
|
|
|
access to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
|
|
by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
|
|
by * read
|
|
|
|
access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
|
|
by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
|
|
by * read
|
|
|
|
#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
|
|
access to filter="(name=X*Y*Z)"
|
|
by * continue
|
|
|
|
access to dn.subtree="ou=Add & Delete,dc=example,dc=com"
|
|
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
|
|
by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
|
|
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
|
|
by * read
|
|
|
|
# fall into global ACLs
|
|
|
|
#monitor#database monitor
|