e-smith-ldap/sme8/e-smith-ldap-5.2.0-allow_authenticated_users_to_read_attrs.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects       2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects     2010-10-14 22:23:21.000000000 +0200
@@ -2,9 +2,17 @@
 # Prevent access to system, dummy and machine accounts
 
 access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
+        by users       peername.ip="127.0.0.1" read
+        by users       ssf=128 read
         by anonymous   none
+
 access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous   none
+
 access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous   none
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs       2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,10 @@
 {
 
 # Array of attrs which should not be visible anonymously
-@sensible = ();
+@anon = ();
+
+# Array of attrs which should not be visible by other users
+@users = ();
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount  2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount        2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to posixAccount
-push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
+push @anon, qw/loginShell gidNumber homeDirectory uidNumber/;
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount       2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to shadowAccount
-push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
+push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl   2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:23:21.000000000 +0200
@@ -1,13 +1,27 @@
 {
-my $attrs = join(",",@sensible);
+my $anon_attrs = join(",",@anon);
+my $users_attrs = join(",",@users);
 
-unless ($attrs eq ''){
+unless ($anon_attrs eq ''){
     $OUT .=<<"HERE";
-# Restrict access to some sensible attributes
-access to attrs=$attrs
+access to attrs=$anon_attrs
         by self        peername.ip="127.0.0.1" read
         by self        ssf=128 read
-        by anonymous   none
+        by users       peername.ip="127.0.0.1" read
+        by users       ssf=128 read
+        by *   none
+
+HERE
+}
+
+unless ($users_attrs eq ''){
+    $OUT .=<<"HERE"; 
+access to attrs=$users_attrs
+        by self        peername.ip="127.0.0.1" read
+        by self ssf=128 read
+        by *   none
+
 HERE
 }
+
 }
1	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
2	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:29:18.000000000 +0200
3	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:23:21.000000000 +0200
4	@@ -2,9 +2,17 @@
5	# Prevent access to system, dummy and machine accounts
6
7	access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
8	+ by users peername.ip="127.0.0.1" read
9	+ by users ssf=128 read
10	by anonymous none
11	+
12	access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
13	+ by users peername.ip="127.0.0.1" read
14	+ by users ssf=128 read
15	by anonymous none
16	+
17	access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
18	+ by users peername.ip="127.0.0.1" read
19	+ by users ssf=128 read
20	by anonymous none
21
22	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
23	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:29:18.000000000 +0200
24	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:23:21.000000000 +0200
25	@@ -1,7 +1,10 @@
26	{
27
28	# Array of attrs which should not be visible anonymously
29	-@sensible = ();
30	+@anon = ();
31	+
32	+# Array of attrs which should not be visible by other users
33	+@users = ();
34
35	$OUT .= '';
36
37	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
38	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:29:18.000000000 +0200
39	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:23:21.000000000 +0200
40	@@ -1,7 +1,7 @@
41	{
42
43	# Sensible attributes related to posixAccount
44	-push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
45	+push @anon, qw/loginShell gidNumber homeDirectory uidNumber/;
46
47	$OUT .= '';
48
49	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
50	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:29:18.000000000 +0200
51	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:23:21.000000000 +0200
52	@@ -1,7 +1,7 @@
53	{
54
55	# Sensible attributes related to shadowAccount
56	-push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
57	+push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
58
59	$OUT .= '';
60
61	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
62	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:29:18.000000000 +0200
63	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:23:21.000000000 +0200
64	@@ -1,13 +1,27 @@
65	{
66	-my $attrs = join(",",@sensible);
67	+my $anon_attrs = join(",",@anon);
68	+my $users_attrs = join(",",@users);
69
70	-unless ($attrs eq ''){
71	+unless ($anon_attrs eq ''){
72	$OUT .=<<"HERE";
73	-# Restrict access to some sensible attributes
74	-access to attrs=$attrs
75	+access to attrs=$anon_attrs
76	by self peername.ip="127.0.0.1" read
77	by self ssf=128 read
78	- by anonymous none
79	+ by users peername.ip="127.0.0.1" read
80	+ by users ssf=128 read
81	+ by * none
82	+
83	+HERE
84	+}
85	+
86	+unless ($users_attrs eq ''){
87	+ $OUT .=<<"HERE";
88	+access to attrs=$users_attrs
89	+ by self peername.ip="127.0.0.1" read
90	+ by self ssf=128 read
91	+ by * none
92	+
93	HERE
94	}
95	+
96	}