[debian-edu-commits] debian-edu/ 02/02: Revert "Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf and etc/ldap/slapd-lenny_debian-edu.conf"
Holger Levsen
holger at moszumanska.debian.org
Mon Jan 5 19:15:24 UTC 2015
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to branch master
in repository debian-edu-config.
commit 66779c5ad7c18a5b0d43f135dbc03ec7175a52e9
Author: Holger Levsen <holger at layer-acht.org>
Date: Mon Jan 5 20:15:07 2015 +0100
Revert "Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf and etc/ldap/slapd-lenny_debian-edu.conf"
This reverts commit 1c70a6089659f4c3e0949c4be048f493c60bbab5.
---
debian/changelog | 2 -
etc/ldap/slapd-debian-edu.conf | 210 +++++++++++++++++++++++++++++++++++
etc/ldap/slapd-lenny_debian-edu.conf | 195 ++++++++++++++++++++++++++++++++
3 files changed, 405 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 58e6784..4c58a51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,8 +6,6 @@ debian-edu-config (1.816) UNRELEASED; urgency=medium
executed). (Closes: #774392).
* etc/ldap/slapd-squeeze_debian-edu.conf: unset 'dbnosync' to avoid
possible data loss. (Closes: #774610).
- * Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf
- and etc/ldap/slapd-lenny_debian-edu.conf
-- Wolfgang Schweer <wschweer at arcor.de> Thu, 01 Jan 2015 23:26:29 +0100
diff --git a/etc/ldap/slapd-debian-edu.conf b/etc/ldap/slapd-debian-edu.conf
new file mode 100644
index 0000000..419f13e
--- /dev/null
+++ b/etc/ldap/slapd-debian-edu.conf
@@ -0,0 +1,210 @@
+# Allow LDAPv2 binds
+allow bind_v2
+
+# The skolelinux slapd configuration file
+#
+# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/courier.schema
+include /etc/ldap/schema/automount.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/samba.schema
+include /etc/ldap/schema/lis.schema
+include /etc/ldap/schema/dhcp.schema
+include /etc/ldap/schema/dnsdomain2.schema
+include /etc/ldap/schema/kerberos.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile /var/run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel 65535
+loglevel none
+
+rootDSE /etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile /etc/ldap/ssl/slapd.pem
+TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
+TLSCertificateFile /etc/ldap/ssl/slapd.pem
+#TLSCACertificateFile /var/lib/pyca/Root/cacert.pem
+#TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem
+#TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem
+
+modulepath /usr/lib/ldap
+moduleload back_bdb
+moduleload back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128 simple_bind=128
+
+backend bdb
+backend monitor
+
+
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database bdb
+# Set the database in memory cache size.
+#
+cachesize 4000
+#dbnosync
+sizelimit 4000
+
+# First database
+suffix "dc=skole,dc=skolelinux,dc=no"
+rootdn "cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory "/var/lib/ldap"
+
+# Indices to maintain
+index objectClass pres,eq
+index cn,sn,ou pres,eq,sub
+index uid pres,eq,sub
+index groupType eq
+index uidNumber eq
+index gidNumber eq
+index memberUid eq
+index default eq
+#for some clients, even if not used
+index givenname eq
+index displayName eq
+index telephoneNumber eq
+
+#samba index
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index sambaGroupType eq
+index sambaSIDList eq
+
+# PowerDNS index
+index associatedDomain pres,eq,sub
+
+# Save the time that the entry gets modified
+lastmod on
+
+
+
+# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
+# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
+#
+
+access to dn.base="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
+ by * none break
+
+access to *
+ by group/lisAclGroup/member="cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none break
+
+access to dn.base="cn=nextID,ou=variables,dc=skole,dc=skolelinux,dc=no"
+ attrs=gidNumber
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by * read
+
+# Don not give jradmins access to the userPassword attribute of the higher privileged
+
+access to dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no"
+ attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" none
+ by * none
+
+access to dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no"
+ attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" none
+ by * none
+
+access to attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+access to attrs=shadowLastChange
+ by self ssf=128 =w
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+#
+# Allow samba to add groupmap information to existing groups.
+#
+access to dn.subtree="ou=group,dc=skole,dc=skolelinux,dc=no"
+ attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by * none break
+
+#
+# Ensure samba password hashes.
+#
+# Restricted access to some samba attributes
+# (allow access for admin to don't break old installations)
+# Restricted jradmin from accessing the attributes of the higher privileged
+access to attrs=sambaLMPassword,sambaNTPassword
+ by self ssf=128 =w
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+access to attrs=sambaPwdLastSet,sambaPwdCanChange
+ by self ssf=128 =wr
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+ by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * read
+
+# Access to samba attributs
+access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+# We store machine-accounts for samba in a private ou
+access to dn.sub="ou=machines,ou=people,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+# Limit access to kerberos data in cn=kerberos
+access to dn.subtree="cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=kdc-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" read
+ by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" write
+ by * none
+
+# Control access to kerberos attributes
+access to attrs=krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData
+ by dn.exact="cn=kdc-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" read
+ by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" write
+ by self read
+ by * auth
+
+# Defaultaccess ##FIXME: this ACL for kadmin-service is probably
+# never active because of prior rules (to be refined above)
+access to *
+ by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" write
+ by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file
diff --git a/etc/ldap/slapd-lenny_debian-edu.conf b/etc/ldap/slapd-lenny_debian-edu.conf
new file mode 100644
index 0000000..3cc6132
--- /dev/null
+++ b/etc/ldap/slapd-lenny_debian-edu.conf
@@ -0,0 +1,195 @@
+# Allow LDAPv2 binds
+allow bind_v2
+
+# The skolelinux slapd configuration file
+#
+# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/courier.schema
+include /etc/ldap/schema/automount.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/samba.schema
+include /etc/ldap/schema/lis.schema
+include /etc/ldap/schema/dhcp.schema
+include /etc/ldap/schema/dnsdomain2.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile /var/run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel 65535
+loglevel none
+
+rootDSE /etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile /etc/ldap/ssl/slapd.pem
+TLSCertificateKeyFile /etc/ldap/ssl/slapd.pem
+TLSCertificateFile /etc/ldap/ssl/slapd.pem
+#TLSCACertificateFile /var/lib/pyca/Root/cacert.pem
+#TLSCertificateKeyFile /var/lib/pyca/ServerCerts/private/cakey.pem
+#TLSCertificateFile /var/lib/pyca/ServerCerts/cacert.pem
+
+modulepath /usr/lib/ldap
+moduleload back_bdb
+moduleload back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128 simple_bind=128
+
+backend bdb
+backend monitor
+
+
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database bdb
+# Set the database in memory cache size.
+#
+cachesize 4000
+dbnosync
+sizelimit 4000
+
+# First database
+suffix "dc=skole,dc=skolelinux,dc=no"
+rootdn "cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory "/var/lib/ldap"
+
+# Indices to maintain
+index objectClass pres,eq
+index cn,sn,ou pres,eq,sub
+index uid pres,eq,sub
+index groupType eq
+index uidNumber eq
+index gidNumber eq
+index memberUid eq
+index default eq
+#for some clients, even if not used
+index givenname eq
+index displayName eq
+index telephoneNumber eq
+
+#samba index
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index sambaGroupType eq
+index sambaSIDList eq
+
+# PowerDNS index
+index associatedDomain pres,eq,sub
+
+# Save the time that the entry gets modified
+lastmod on
+
+
+
+# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
+# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
+#
+
+access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx
+ by * none break
+
+access to *
+ by group/lisAclGroup/member="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none break
+
+access to dn.base="cn=nextID,ou=Variables,dc=skole,dc=skolelinux,dc=no"
+ attrs=gidNumber
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by * read
+
+# Don not give jradmins access to the userPassword attribute of the higher privileged
+
+access to dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
+ attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
+ by * none
+
+access to dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
+ attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
+ by * none
+
+access to attrs=userPassword
+ by self ssf=128 =wx
+ by anonymous ssf=128 auth
+ by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+access to attrs=shadowLastChange
+ by self ssf=128 =w
+ by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+#
+# Allow samba to add groupmap information to existing groups.
+#
+access to dn.subtree="ou=Group,dc=skole,dc=skolelinux,dc=no"
+ attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+ by * none break
+
+#
+# Ensure samba password hashes.
+#
+# Restricted access to some samba attributes
+# (allow access for admin to don't break old installations)
+# Restricted jradmin from accessing the attributes of the higher privileged
+access to attrs=sambaLMPassword,sambaNTPassword
+ by self ssf=128 =w
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+ by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * none
+
+access to attrs=sambaPwdLastSet,sambaPwdCanChange
+ by self ssf=128 =wr
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+ by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+ by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+ by * read
+
+# Access to samba attributs
+access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+# We store machine-accounts for samba in a private ou
+access to dn.sub="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"
+ by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+ by * read
+
+
+# Defaultaccess
+access to *
+ by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list