e-smith-ldap/sme8/e-smith-ldap-5.2.0-anonymous_acl.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects       1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects     2010-10-01 19:14:20.000000000 +0200
@@ -0,0 +1,10 @@
+# Anonymous users should only be able to see SME users and groups for addressbook purpose
+# Prevent access to system, dummy and machine accounts
+
+access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
+        by anonymous   none
+access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
+        by anonymous   none
+access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
+        by anonymous   none
+
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs       2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Array of attrs which should not be visible anonymously
+@sensible = ();
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount  1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount        2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Sensible attributes related to posixAccount
+push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount       2010-10-01 19:12:10.000000000 +0200
@@ -0,0 +1,8 @@
+{
+
+# Sensible attributes related to shadowAccount
+push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
+
+$OUT .= '';
+
+}
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl   1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-01 19:16:31.000000000 +0200
@@ -0,0 +1,13 @@
+{
+my $attrs = join(",",@sensible);
+
+unless ($attrs eq ''){
+    $OUT .=<<"HERE";
+# Restrict access to some sensible attributes
+access to attrs=$attrs
+        by self        peername.ip="127.0.0.1" read
+        by self        ssf=128 read
+        by anonymous   none
+HERE
+}
+}
1	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
2	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 1970-01-01 01:00:00.000000000 +0100
3	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects 2010-10-01 19:14:20.000000000 +0200
4	@@ -0,0 +1,10 @@
5	+# Anonymous users should only be able to see SME users and groups for addressbook purpose
6	+# Prevent access to system, dummy and machine accounts
7	+
8	+access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
9	+ by anonymous none
10	+access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
11	+ by anonymous none
12	+access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
13	+ by anonymous none
14	+
15	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
16	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 1970-01-01 01:00:00.000000000 +0100
17	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs 2010-10-01 19:12:10.000000000 +0200
18	@@ -0,0 +1,8 @@
19	+{
20	+
21	+# Array of attrs which should not be visible anonymously
22	+@sensible = ();
23	+
24	+$OUT .= '';
25	+
26	+}
27	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
28	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 1970-01-01 01:00:00.000000000 +0100
29	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount 2010-10-01 19:12:10.000000000 +0200
30	@@ -0,0 +1,8 @@
31	+{
32	+
33	+# Sensible attributes related to posixAccount
34	+push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
35	+
36	+$OUT .= '';
37	+
38	+}
39	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
40	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 1970-01-01 01:00:00.000000000 +0100
41	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount 2010-10-01 19:12:10.000000000 +0200
42	@@ -0,0 +1,8 @@
43	+{
44	+
45	+# Sensible attributes related to shadowAccount
46	+push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/;
47	+
48	+$OUT .= '';
49	+
50	+}
51	diff -Nur -x '.orig' -x '.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
52	--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 1970-01-01 01:00:00.000000000 +0100
53	+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl 2010-10-01 19:16:31.000000000 +0200
54	@@ -0,0 +1,13 @@
55	+{
56	+my $attrs = join(",",@sensible);
57	+
58	+unless ($attrs eq ''){
59	+ $OUT .=<<"HERE";
60	+# Restrict access to some sensible attributes
61	+access to attrs=$attrs
62	+ by self peername.ip="127.0.0.1" read
63	+ by self ssf=128 read
64	+ by anonymous none
65	+HERE
66	+}
67	+}