e-smith-ldap/sme8/e-smith-ldap-5.2.0-anonymous_acl.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects       1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects     2010-10-01 19:14:20.000000000 +0200
@@ -0,0 +1,10 @@
+# Anonymous users should only be able to see SME users and groups for addressbook purpose
+# Prevent access to system, dummy and machine accounts
+
+access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
+        by anonymous   none
+access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
+        by anonymous   none
+access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
+        by anonymous   none
+
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs       2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Array of attrs which should not be visible anonymously
+@sensible = ();
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount  1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount        2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Sensible attributes related to posixAccount
+push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount       2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Sensible attributes related to shadowAccount
+push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl   1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-01 19:16:31.000000000 +0200
@@ -0,0 +1,13 @@
+{
+my $attrs = join(",",@sensible);
+
+unless ($attrs eq ''){
+    $OUT .=<<"HERE";
+# Restrict access to some sensible attributes
+access to attrs=$attrs
+        by self        peername.ip="127.0.0.1" read
+        by self        ssf=128 read
+        by anonymous   none
+HERE
+}
+}
1	vip-ire	1.1	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
2			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 1970-01-01 01:00:00.000000000 +0100
3			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-01 19:14:20.000000000 +0200
4			@@ -0,0 +1,10 @@
5			+# Anonymous users should only be able to see SME users and groups for addressbook purpose
6			+# Prevent access to system, dummy and machine accounts
7			+
8			+access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
9			+ by anonymous none
10			+access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
11			+ by anonymous none
12			+access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
13			+ by anonymous none
14			+
15			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
16			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 1970-01-01 01:00:00.000000000 +0100
17			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-01 19:12:10.000000000 +0200
18			@@ -0,0 +1,8 @@
19			+{
20			+
21			+# Array of attrs which should not be visible anonymously
22			+@sensible = ();
23			+
24			+$OUT .= '';
25			+
26			+}
27			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
28			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 1970-01-01 01:00:00.000000000 +0100
29			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-01 19:12:10.000000000 +0200
30			@@ -0,0 +1,8 @@
31			+{
32			+
33			+# Sensible attributes related to posixAccount
34			+push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
35			+
36			+$OUT .= '';
37			+
38			+}
39			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
40			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 1970-01-01 01:00:00.000000000 +0100
41			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-01 19:12:10.000000000 +0200
42			@@ -0,0 +1,8 @@
43			+{
44			+
45			+# Sensible attributes related to shadowAccount
46			+push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
47			+
48			+$OUT .= '';
49			+
50			+}
51			diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
52			--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 1970-01-01 01:00:00.000000000 +0100
53			+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-01 19:16:31.000000000 +0200
54			@@ -0,0 +1,13 @@
55			+{
56			+my $attrs = join(",",@sensible);
57			+
58			+unless ($attrs eq ''){
59			+ $OUT .=<<"HERE";
60			+# Restrict access to some sensible attributes
61			+access to attrs=$attrs
62			+ by self peername.ip="127.0.0.1" read
63			+ by self ssf=128 read
64			+ by anonymous none
65			+HERE
66			+}
67			+}