[debian-edu-commits] debian-edu/ 02/02: Revert "Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf and etc/ldap/slapd-lenny_debian-edu.conf"

Holger Levsen holger at moszumanska.debian.org
Mon Jan 5 19:15:24 UTC 2015


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository debian-edu-config.

commit 66779c5ad7c18a5b0d43f135dbc03ec7175a52e9
Author: Holger Levsen <holger at layer-acht.org>
Date:   Mon Jan 5 20:15:07 2015 +0100

    Revert "Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf and etc/ldap/slapd-lenny_debian-edu.conf"
    
    This reverts commit 1c70a6089659f4c3e0949c4be048f493c60bbab5.
---
 debian/changelog                     |   2 -
 etc/ldap/slapd-debian-edu.conf       | 210 +++++++++++++++++++++++++++++++++++
 etc/ldap/slapd-lenny_debian-edu.conf | 195 ++++++++++++++++++++++++++++++++
 3 files changed, 405 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 58e6784..4c58a51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,8 +6,6 @@ debian-edu-config (1.816) UNRELEASED; urgency=medium
     executed). (Closes: #774392).
   * etc/ldap/slapd-squeeze_debian-edu.conf: unset 'dbnosync' to avoid
     possible data loss. (Closes: #774610).
-  * Remove unused (and outdated) files etc/ldap/slapd-debian-edu.conf
-    and etc/ldap/slapd-lenny_debian-edu.conf
 
  -- Wolfgang Schweer <wschweer at arcor.de>  Thu, 01 Jan 2015 23:26:29 +0100
 
diff --git a/etc/ldap/slapd-debian-edu.conf b/etc/ldap/slapd-debian-edu.conf
new file mode 100644
index 0000000..419f13e
--- /dev/null
+++ b/etc/ldap/slapd-debian-edu.conf
@@ -0,0 +1,210 @@
+# Allow LDAPv2 binds
+allow bind_v2
+
+# The skolelinux slapd configuration file
+#
+# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $
+
+# Schema and objectClass definitions
+include         /etc/ldap/schema/core.schema
+include         /etc/ldap/schema/cosine.schema
+include         /etc/ldap/schema/nis.schema
+include         /etc/ldap/schema/courier.schema
+include         /etc/ldap/schema/automount.schema
+include		/etc/ldap/schema/inetorgperson.schema
+include		/etc/ldap/schema/samba.schema
+include		/etc/ldap/schema/lis.schema
+include		/etc/ldap/schema/dhcp.schema
+include		/etc/ldap/schema/dnsdomain2.schema
+include		/etc/ldap/schema/kerberos.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile		/var/run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel	65535
+loglevel	none
+
+rootDSE                 /etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
+TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
+TLSCertificateFile      /etc/ldap/ssl/slapd.pem
+#TLSCACertificateFile    /var/lib/pyca/Root/cacert.pem
+#TLSCertificateKeyFile   /var/lib/pyca/ServerCerts/private/cakey.pem
+#TLSCertificateFile      /var/lib/pyca/ServerCerts/cacert.pem
+
+modulepath	/usr/lib/ldap
+moduleload	back_bdb
+moduleload	back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128  simple_bind=128
+
+backend		bdb
+backend		monitor
+
+
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database	bdb
+# Set the database in memory cache size.
+#
+cachesize   4000
+#dbnosync
+sizelimit 4000
+
+# First database
+suffix		"dc=skole,dc=skolelinux,dc=no"
+rootdn		"cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory	"/var/lib/ldap"
+
+# Indices to maintain
+index           objectClass     pres,eq
+index           cn,sn,ou        pres,eq,sub
+index           uid             pres,eq,sub
+index		groupType	eq
+index           uidNumber       eq
+index           gidNumber       eq
+index           memberUid       eq
+index           default         eq
+#for some clients, even if not used
+index		givenname	eq
+index		displayName	eq
+index		telephoneNumber	eq
+
+#samba index
+index sambaSID                          eq
+index sambaPrimaryGroupSID              eq
+index sambaDomainName                   eq
+index sambaGroupType                    eq
+index sambaSIDList                      eq
+
+# PowerDNS index
+index associatedDomain         pres,eq,sub
+
+# Save the time that the entry gets modified
+lastmod on
+
+
+
+# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
+# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
+#
+
+access to dn.base="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no" 
+	by dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx 
+	by * none break
+
+access to * 
+	by group/lisAclGroup/member="cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none break
+	
+access to dn.base="cn=nextID,ou=variables,dc=skole,dc=skolelinux,dc=no" 
+	attrs=gidNumber
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by * read 
+
+# Don not give jradmins access to the userPassword attribute of the higher privileged
+
+access to dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no"
+	attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" none
+	by * none 
+
+access to dn.exact="cn=admin,ou=people,dc=skole,dc=skolelinux,dc=no"
+	attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" none
+	by * none 
+
+access to attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none 
+
+access to attrs=shadowLastChange
+	by self      ssf=128 =w
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none 
+
+#
+# Allow samba to add groupmap information to existing groups.
+#
+access to dn.subtree="ou=group,dc=skole,dc=skolelinux,dc=no"
+	attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by * none break
+
+#
+# Ensure samba password hashes.
+#
+# Restricted access to some samba attributes
+# (allow access for admin to don't break old installations)
+# Restricted jradmin from accessing the attributes of the higher privileged
+access to attrs=sambaLMPassword,sambaNTPassword
+	by self ssf=128 =w
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+	by * none
+
+access to attrs=sambaPwdLastSet,sambaPwdCanChange
+	by self ssf=128 =wr
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+	by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+	by * read
+
+# Access to samba attributs
+access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+	by * read
+
+access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+	by * read
+
+# We store machine-accounts for samba in a private ou
+access to  dn.sub="ou=machines,ou=people,dc=skole,dc=skolelinux,dc=no"  
+	by dn.exact="cn=smbadmin,ou=people,dc=skole,dc=skolelinux,dc=no"  ssf=128 =wsr
+	by * read
+
+# Limit access to kerberos data in cn=kerberos
+access to dn.subtree="cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no"
+       by dn.exact="cn=kdc-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" read
+       by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" write
+       by * none
+
+# Control access to kerberos attributes
+access to attrs=krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData
+       by dn.exact="cn=kdc-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no"  read
+       by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no"  write
+       by self read
+       by * auth
+
+# Defaultaccess ##FIXME: this ACL for kadmin-service is probably 
+# never active because of prior rules (to be refined above)
+access to *
+       by dn.exact="cn=kadmin-service,cn=kerberos,ou=services,dc=skole,dc=skolelinux,dc=no" write
+       by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file
diff --git a/etc/ldap/slapd-lenny_debian-edu.conf b/etc/ldap/slapd-lenny_debian-edu.conf
new file mode 100644
index 0000000..3cc6132
--- /dev/null
+++ b/etc/ldap/slapd-lenny_debian-edu.conf
@@ -0,0 +1,195 @@
+# Allow LDAPv2 binds
+allow bind_v2
+
+# The skolelinux slapd configuration file
+#
+# $Id: slapd-skolelinux.conf,v 1.7 2003/06/27 14:47:20 pere Exp $
+
+# Schema and objectClass definitions
+include         /etc/ldap/schema/core.schema
+include         /etc/ldap/schema/cosine.schema
+include         /etc/ldap/schema/nis.schema
+include         /etc/ldap/schema/courier.schema
+include         /etc/ldap/schema/automount.schema
+include		/etc/ldap/schema/inetorgperson.schema
+include		/etc/ldap/schema/samba.schema
+include		/etc/ldap/schema/lis.schema
+include		/etc/ldap/schema/dhcp.schema
+include		/etc/ldap/schema/dnsdomain2.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile		/var/run/slapd/slapd.pid
+
+# Read slapd.conf(5) for possible values
+#loglevel	65535
+loglevel	none
+
+rootDSE                 /etc/ldap/rootDSE-debian-edu.ldif
+
+# TLS/SSL
+TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
+TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
+TLSCertificateFile      /etc/ldap/ssl/slapd.pem
+#TLSCACertificateFile    /var/lib/pyca/Root/cacert.pem
+#TLSCertificateKeyFile   /var/lib/pyca/ServerCerts/private/cakey.pem
+#TLSCertificateFile      /var/lib/pyca/ServerCerts/cacert.pem
+
+modulepath	/usr/lib/ldap
+moduleload	back_bdb
+moduleload	back_monitor
+
+defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
+security update_ssf=128  simple_bind=128
+
+backend		bdb
+backend		monitor
+
+
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+
+database	bdb
+# Set the database in memory cache size.
+#
+cachesize   4000
+dbnosync
+sizelimit 4000
+
+# First database
+suffix		"dc=skole,dc=skolelinux,dc=no"
+rootdn		"cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
+# Where the database file are physically stored
+directory	"/var/lib/ldap"
+
+# Indices to maintain
+index           objectClass     pres,eq
+index           cn,sn,ou        pres,eq,sub
+index           uid             pres,eq,sub
+index		groupType	eq
+index           uidNumber       eq
+index           gidNumber       eq
+index           memberUid       eq
+index           default         eq
+#for some clients, even if not used
+index		givenname	eq
+index		displayName	eq
+index		telephoneNumber	eq
+
+#samba index
+index sambaSID                          eq
+index sambaPrimaryGroupSID              eq
+index sambaDomainName                   eq
+index sambaGroupType                    eq
+index sambaSIDList                      eq
+
+# PowerDNS index
+index associatedDomain         pres,eq,sub
+
+# Save the time that the entry gets modified
+lastmod on
+
+
+
+# Webmin-ldap-skolelinux use TLS, and PAM authentication use SSL
+# The ssf=128 option is to be used when SL bug 213 and 404 are closed.
+#
+
+access to dn.base="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" 
+	by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wx 
+	by * none break
+
+access to * 
+	by group/lisAclGroup/member="cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none break
+	
+access to dn.base="cn=nextID,ou=Variables,dc=skole,dc=skolelinux,dc=no" 
+	attrs=gidNumber
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by * read 
+
+# Don not give jradmins access to the userPassword attribute of the higher privileged
+
+access to dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
+	attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
+	by * none 
+
+access to dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no"
+	attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" none
+	by * none 
+
+access to attrs=userPassword
+	by self      ssf=128 =wx
+	by anonymous ssf=128 auth
+	by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none 
+
+access to attrs=shadowLastChange
+	by self      ssf=128 =w
+	by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w 
+	by * none 
+
+#
+# Allow samba to add groupmap information to existing groups.
+#
+access to dn.subtree="ou=Group,dc=skole,dc=skolelinux,dc=no"
+	attrs=objectClass,sambaSID,sambaGroupType,displayName,description,sambaSIDList
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 write
+	by * none break
+
+#
+# Ensure samba password hashes.
+#
+# Restricted access to some samba attributes
+# (allow access for admin to don't break old installations)
+# Restricted jradmin from accessing the attributes of the higher privileged
+access to attrs=sambaLMPassword,sambaNTPassword
+	by self ssf=128 =w
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+	by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+	by * none
+
+access to attrs=sambaPwdLastSet,sambaPwdCanChange
+	by self ssf=128 =wr
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wr
+	by set="[cn=admins,ou=Group,dc=skole,dc=skolelinux,dc=no]/member & this" none
+	by group/lisAclGroup/member="cn=jradmins,ou=Group,dc=skole,dc=skolelinux,dc=no" ssf=128 =w
+	by * read
+
+# Access to samba attributs
+access to attrs=objectClass,sambaSID,sambaPrimaryGroupSID,displayName,sambaPwdMustChange,sambaAcctFlags,sambaGroupType,sambaPasswordHistory,sambaNextRid
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+	by * read
+
+access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaLogonHours,sambaBadPasswordCount,sambaBadPasswordTime
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no" ssf=128 =wsr
+	by * read
+
+# We store machine-accounts for samba in a private ou
+access to  dn.sub="ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no"  
+	by dn.exact="cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"  ssf=128 =wsr
+	by * read
+
+
+# Defaultaccess
+access to * 
+	by * read
+
+# Last database.. back-monitor is nice to have. Use 'cn=monitor' as base
+database monitor
+
+# End of ldapd configuration file

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git



More information about the debian-edu-commits mailing list