diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects --- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:29:18.000000000 +0200 +++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:23:21.000000000 +0200 @@ -2,9 +2,17 @@ # Prevent access to system, dummy and machine accounts access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson)) + by users peername.ip="127.0.0.1" read + by users ssf=128 read by anonymous none + access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject)) + by users peername.ip="127.0.0.1" read + by users ssf=128 read by anonymous none + access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); } + by users peername.ip="127.0.0.1" read + by users ssf=128 read by anonymous none diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs --- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:29:18.000000000 +0200 +++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:23:21.000000000 +0200 @@ -1,7 +1,10 @@ { # Array of attrs which should not be visible anonymously -@sensible = (); +@anon = (); + +# Array of attrs which should not be visible by other users +@users = (); $OUT .= ''; diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount --- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:29:18.000000000 +0200 +++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:23:21.000000000 +0200 @@ -1,7 +1,7 @@ { # Sensible attributes related to posixAccount -push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/; +push @anon, qw/loginShell gidNumber homeDirectory uidNumber/; $OUT .= ''; diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount --- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:29:18.000000000 +0200 +++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:23:21.000000000 +0200 @@ -1,7 +1,7 @@ { # Sensible attributes related to shadowAccount -push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; +push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; $OUT .= ''; diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl --- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:29:18.000000000 +0200 +++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:23:21.000000000 +0200 @@ -1,13 +1,27 @@ { -my $attrs = join(",",@sensible); +my $anon_attrs = join(",",@anon); +my $users_attrs = join(",",@users); -unless ($attrs eq ''){ +unless ($anon_attrs eq ''){ $OUT .=<<"HERE"; -# Restrict access to some sensible attributes -access to attrs=$attrs +access to attrs=$anon_attrs by self peername.ip="127.0.0.1" read by self ssf=128 read - by anonymous none + by users peername.ip="127.0.0.1" read + by users ssf=128 read + by * none + +HERE +} + +unless ($users_attrs eq ''){ + $OUT .=<<"HERE"; +access to attrs=$users_attrs + by self peername.ip="127.0.0.1" read + by self ssf=128 read + by * none + HERE } + }