# (C) 2014 by Jens Elkner # @IP@ .. a comma separate list of CIDRs of managing machines # all lower case # @institute@ .. the common abbrev for a sub devision # @department@ .. the common abbrev for a devision # @org@ .. the common abbrev of the orgnisation/entity # human readable (mixed case) # @Institute@ .. the common [abbrev.] name for @institute@ # @Department@ .. the common [abbrev.] name for @department@ dn: cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@ changetype: delete dn: cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@ changetype: add cn: ldapadm description: @Department@/@Institute@ LDAP Admin Group objectClass: groupOfNames member: uid=@uid1@,ou=people,ou=@institute@,ou=@department@,o=@org@ # ... # add as many admins as you wish here seeAlso: cn=@institute@-adm-privs,ou=@department@,o=@org@ dn: cn=@institute@-adm-privs,ou=@department@,o=@org@ changetype: add cn: @institute@-adm-privs description: LDAP Admin Privileges for the @Department@/@Institute@ subtree objectClass: extensibleObject objectClass: collectiveAttributeSubentry objectClass: subentry ds-privilege-name;collective: cancel-request ds-privilege-name;collective: config-read ds-privilege-name;collective: disconnect-client ds-privilege-name;collective: jmx-notify ds-privilege-name;collective: jmx-read ds-privilege-name;collective: ldif-export ds-privilege-name;collective: password-reset ds-privilege-name;collective: proxied-auth ds-privilege-name;collective: subentry-write ds-rlim-size-limit;collective: 0 ds-pwp-password-policy-dn;collective: cn=No Lock/No Expire Password Policy,cn=Password Policies,cn=config subtreeSpecification: { base "ou=@institute@", specificationFilter "(isMemberOf=cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@)" } #openldapsearch -H ldap://${SERVER}:389 -ZZ -x -D "cn=YourDITadmin" -W -b "cn=@institute@-adm-privs,ou=@department@,o=@org@" -s base -a always "(|(objectClass=subentry)(objectClass=ldapSubentry))" "*" "+" dn: ou=@institute@,ou=@department@,o=@org@ changetype: modify replace: aci aci: ( targetattr = "* || pwdPolicySubentry || ds-pwp-account-disabled || ds-pwp-account-expiration-time || pwdGraceUseTime || pwdHistory || pwdReset || ds-rlim-idle-time-limit || ds-rlim-size-limit || ds-rlim-time-limit" ) ( version 3.0; acl "@Department@/@Institute@ Admin [operational] attr read-write-proxy"; allow (all,proxy) (groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@") and ((ip = "@IP@" and ssf >= "112") or (ip = "127.0.0.1")) ;) - add: aci aci: ( targetattr = "isMemberOf || collectiveAttributeSubentries || aci || ds-pwp-last-login-time || ds-privilege-name || pwdChangedTime || pwdFailureTime || ds-pwp-password-changed-by-required-time || ds-pwp-warned-time" ) ( version 3.0; acl "@Department@/@Institute@ Admin operational attr read-proxy"; allow(read,search,compare,proxy) (groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@") and ((ip = "@IP@" and ssf >= "112") or (ip = "127.0.0.1")) ;) - add: aci aci: ( extop = "1.3.6.1.1.8 || 1.3.6.1.4.1.26027.1.6.2" ) ( version 3.0; acl "@Department@/@Institute@ Admin extended operations"; allow (all,proxy) (groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@") and ((ip = "@IP@" and ssf >= "112") or (ip = "127.0.0.1")) ;) - add: aci aci: ( targetcontrol = "1.3.6.1.4.1.42.2.27.9.5.2 || 1.3.6.1.4.1.42.2.27.9.5.8 || 1.3.6.1.4.1.4203.1.10.1" ) ( version 3.0; acl "@Department@/@Institute@ Admin extended controls"; allow (read) (groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@") and ((ip = "@IP@" and ssf >= "112") or (ip = "127.0.0.1")) ;) dn: ou=@othersub@,ou=@tree@,o=@org@ changetype: modify replace: aci aci: ( targetattr = "* || aci" ) ( version 3.0; acl "@Department@/@Institute@ Admin all attr and aci read"; allow (read,search,compare) (groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@" or groupdn = "ldap:///cn=ldapadm,ou=roles,ou=@institute@,ou=@department@,o=@org@") and ((ip = "@IP@" and ssf >= "112") or (ip = "127.0.0.1")) ;) dn: cn=Access Control Handler,cn=config changetype: modify replace: ds-cfg-global-aci ds-cfg-global-aci: (extop = "1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") ( version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (targetcontrol = "2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.1413") ( version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (targetcontrol = "1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") ( version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all"; ) ds-cfg-global-aci: (target = "ldap:///dc=replicationchanges")(targetattr = "*") ( version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (target = "ldap:///cn=schema")(targetscope = "base") (targetattr = "objectClass || attributeTypes || dITContentRules || dITStructureRules|| ldapSyntaxes || matchingRules || matchingRuleUse || nameForms || objectClasses") ( version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (target = "ldap:///")(targetscope = "base") (targetattr = "objectClass || namingContexts || supportedAuthPasswordSchemes || supportedControl || supportedExtension || supportedFeatures || supportedLDAPVersion || supportedSASLMechanisms || vendorName || vendorVersion || supportedTLSCiphers || supportedTLSProtocols") ( version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (targetattr = "entryDN || entryUUID || subschemaSubentry || etag || numSubordinates || hasSubordinates || structuralObjectClass") ( version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (targetattr = "createTimestamp || creatorsName || modifiersName || modifyTimestamp || ds-pwp-account-disabled || ds-pwp-password-policy-dn || pwdAccountLockedTime") ( version 3.0; acl "Authenticated-User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///all"; ) ds-cfg-global-aci: (targetattr = "pwdPolicySubentry || ds-rlim-idle-time-limit || ds-rlim-lookthrough-limit || ds-rlim-size-limit || ds-rlim-time-limit || ds-pwp-account-expiration-time || ds-pwp-last-login-time || ds-pwp-password-changed-by-required-time || ds-pwp-reset-time || ds-pwp-warned-time || ds-privilege-name || pwdReset || pwdExpirationTime || pwdChangedTime || pwdGraceUseTime || pwdFailureTime || pwdHistory") ( version 3.0; acl "Self-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///self"; ) ds-cfg-global-aci: (targetattr != "+ || userPassword || authPassword || changes || changeNumber || changeType || changeTime || targetDN || newRDN || newSuperior || deleteOldRDN || targetEntryUUID || changeInitiatorsName || changeLogCookie || includedAttributes || nisSecretKey || manager || owner || employeeNumber || facsimileTelephoneNumber || homePhone || mobile || pager || originUUID || originURI") ( version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone"; ) ds-cfg-global-aci: (targetattr = "facsimileTelephoneNumber || homePhone || mobile") ( version 3.0; acl "Authenticated users read access"; allow (read,search,compare) userdn="ldap:///all"; ) ds-cfg-global-aci: (targetattr = "userPassword || authPassword || displayName || initials || preferredLanguage || homePostalAddress || facsimileTelephoneNumber || homePhone || mobile || telephoneNumber || pager || nisPublicKey || nisSecretKey") ( version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self"; ) ds-cfg-global-aci: (targetattr = "userPassword || authPassword || nisSecretKey || manager || owner || pager || employeeNumber") ( version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self"; )