This is an automated email from the ASF dual-hosted git repository.
smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-core.git
The following commit(s) were added to refs/heads/master by this push:
new 91ada52 FC-264 - Improve ACL in slapd test
91ada52 is described below
commit 91ada523c70d4046343b400d6bd34ed97c78c830
Author: Shawn McKinney <smckinney@apache.org>
AuthorDate: Fri Mar 1 17:39:18 2019 -0600
FC-264 - Improve ACL in slapd test
---
ldap/slapd.conf.src | 66 +++++++++++++++++++++++++++++------------------------
1 file changed, 36 insertions(+), 30 deletions(-)
diff --git a/ldap/slapd.conf.src b/ldap/slapd.conf.src
index 3965d09..5ea2cf5 100755
--- a/ldap/slapd.conf.src
+++ b/ldap/slapd.conf.src
@@ -17,7 +17,7 @@
# under the License.
#
#
-# Fortress slapd.conf default settings.
+# Apache Fortress OpenLDAP slapd.conf default settings.
# Note: Directives that begin with '@' are substitution parms that get automatically replaced.
include @SCHEMA_PATH@/core.schema
@@ -52,44 +52,18 @@ moduleload accesslog.la
@DDS_MODULE@
@MONITOR_MODULE@
-# ACLS:
+# Global ACLS:
# RootDSE is always readable
access to dn.base="" by * read
-# The fortress admin needs write access to the whole DIT
-access to dn.subtree="@SUFFIX@"
- by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write
- by * break
-
-# Accesslog is readable by replicator and fortress:
-access to dn.subtree="@LOG_SUFFIX@"
- by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
- by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
- by * break
-
# For tooling:
access to dn.base="cn=subschema"
by * read
-# Allow anonymous ability to bind:
-access to dn.subtree="@SUFFIX@" attrs=userPassword
- by anonymous auth
- by * break
-
-# For audit trail:
-# Allow users access to modify their own pw & fortress audit attrs.
-access to dn.subtree="@SUFFIX@" attrs=userPassword,ftModifier,ftModCode,ftModId
- by self =wx
- by * none
-
-# Allow users compare access to a fortress perm op name:
-access to dn.subtree="@SUFFIX@" attrs=ftOpNm
- by users compare
-
password-hash {SSHA}
#######################################################################
-# History DB Settings
+# Access Log DB Settings
#######################################################################
database @DB_TYPE@
@LOG_RDRS@
@@ -105,6 +79,12 @@ access to *
@LOG_CHECKPOINT@
@LOG_BDB_CACHE_SIZE@
+# Accesslog is readable by replicator and fortress:
+access to dn.subtree="@LOG_SUFFIX@"
+ by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
+ by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
+ by * break
+
#######################################################################
# Default DB Settings
#######################################################################
@@ -128,8 +108,34 @@ logdb "@LOG_SUFFIX@"
@DFLT_BDB_CACHE_SIZE@
@DFLT_BDB_CACHE_IDLE_SIZE@
+# The fortress admin needs write access to the whole DIT
+access to dn.subtree="@SUFFIX@"
+ by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write
+ by * break
+
+# Accesslog is readable by replicator and fortress:
+access to dn.subtree="@LOG_SUFFIX@"
+ by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
+ by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
+ by * break
+
+# Allow anonymous ability to bind:
+access to dn.subtree="@SUFFIX@" attrs=userPassword
+ by anonymous auth
+ by * break
+
+# For audit trail:
+# Allow users access to modify their own pw & fortress audit attrs.
+access to dn.subtree="@SUFFIX@" attrs=userPassword,ftModifier,ftModCode,ftModId
+ by self =wx
+ by * none
+
+# Allow users compare access to a fortress perm op name:
+access to dn.subtree="@SUFFIX@" attrs=ftOpNm
+ by users compare
+
#######################################################################
-# Audit Log Settings
+# More Audit Log Settings
#######################################################################
@LOGOPS@
logoldattr ftModifier ftModCode ftModId ftRC ftRA ftARC ftARA ftCstr ftId ftPermName ftObjNm
ftOpNm ftObjId ftGroups ftRoles ftUsers ftType
|