e-smith-ldap/sme8/e-smith-ldap-5.2.0-allow_authenticated_users_to_read_attrs.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects       2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects     2010-10-14 22:23:21.000000000 +0200
@@ -2,9 +2,17 @@
 # Prevent access to system, dummy and machine accounts
 
 access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
+        by users       peername.ip="127.0.0.1" read
+        by users       ssf=128 read
         by anonymous   none
+
 access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous   none
+
 access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous   none
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs       2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,10 @@
 {
 
 # Array of attrs which should not be visible anonymously
-@sensible = ();
+@anon = ();
+
+# Array of attrs which should not be visible by other users
+@users = ();
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount  2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount        2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to posixAccount
-push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
+push @anon, qw/loginShell gidNumber homeDirectory uidNumber/;
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount       2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to shadowAccount
-push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
+push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl   2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:23:21.000000000 +0200
@@ -1,13 +1,27 @@
 {
-my $attrs = join(",",@sensible);
+my $anon_attrs = join(",",@anon);
+my $users_attrs = join(",",@users);
 
-unless ($attrs eq ''){
+unless ($anon_attrs eq ''){
     $OUT .=<<"HERE";
-# Restrict access to some sensible attributes
-access to attrs=$attrs
+access to attrs=$anon_attrs
         by self        peername.ip="127.0.0.1" read
         by self        ssf=128 read
-        by anonymous   none
+        by users       peername.ip="127.0.0.1" read
+        by users       ssf=128 read
+        by *   none
+
+HERE
+}
+
+unless ($users_attrs eq ''){
+    $OUT .=<<"HERE"; 
+access to attrs=$users_attrs
+        by self        peername.ip="127.0.0.1" read
+        by self ssf=128 read
+        by *   none
+
 HERE
 }
+
 }
1	vip-ire	1.1	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
2			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:29:18.000000000 +0200
3			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-14 22:23:21.000000000 +0200
4			@@ -2,9 +2,17 @@
5			# Prevent access to system, dummy and machine accounts
6
7			access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
8			+ by users peername.ip="127.0.0.1" read
9			+ by users ssf=128 read
10			by anonymous none
11			+
12			access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
13			+ by users peername.ip="127.0.0.1" read
14			+ by users ssf=128 read
15			by anonymous none
16			+
17			access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
18			+ by users peername.ip="127.0.0.1" read
19			+ by users ssf=128 read
20			by anonymous none
21
22			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
23			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:29:18.000000000 +0200
24			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-14 22:23:21.000000000 +0200
25			@@ -1,7 +1,10 @@
26			{
27
28			# Array of attrs which should not be visible anonymously
29			-@sensible = ();
30			+@anon = ();
31			+
32			+# Array of attrs which should not be visible by other users
33			+@users = ();
34
35			$OUT .= '';
36
37			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
38			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:29:18.000000000 +0200
39			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-14 22:23:21.000000000 +0200
40			@@ -1,7 +1,7 @@
41			{
42
43			# Sensible attributes related to posixAccount
44			-push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
45			+push @anon, qw/loginShell gidNumber homeDirectory uidNumber/;
46
47			$OUT .= '';
48
49			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
50			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:29:18.000000000 +0200
51			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-14 22:23:21.000000000 +0200
52			@@ -1,7 +1,7 @@
53			{
54
55			# Sensible attributes related to shadowAccount
56			-push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
57			+push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
58
59			$OUT .= '';
60
61			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
62			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:29:18.000000000 +0200
63			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-14 22:23:21.000000000 +0200
64			@@ -1,13 +1,27 @@
65			{
66			-my $attrs = join(",",@sensible);
67			+my $anon_attrs = join(",",@anon);
68			+my $users_attrs = join(",",@users);
69
70			-unless ($attrs eq ''){
71			+unless ($anon_attrs eq ''){
72			$OUT .=<<"HERE";
73			-# Restrict access to some sensible attributes
74			-access to attrs=$attrs
75			+access to attrs=$anon_attrs
76			by self peername.ip="127.0.0.1" read
77			by self ssf=128 read
78			- by anonymous none
79			+ by users peername.ip="127.0.0.1" read
80			+ by users ssf=128 read
81			+ by * none
82			+
83			+HERE
84			+}
85			+
86			+unless ($users_attrs eq ''){
87			+ $OUT .=<<"HERE";
88			+access to attrs=$users_attrs
89			+ by self peername.ip="127.0.0.1" read
90			+ by self ssf=128 read
91			+ by * none
92			+
93			HERE
94			}
95			+
96			}