|
|
@ -147,18 +147,19 @@ |
|
|
|
by self write |
|
|
|
by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth |
|
|
|
by * none |
|
|
|
# [1.1] -> Admins can list the full People tree |
|
|
|
# [1.1] -> Admins can add/remove People entries |
|
|
|
- >- |
|
|
|
{2} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children |
|
|
|
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write |
|
|
|
by * none |
|
|
|
|
|
|
|
# [1.2] -> Admins can list the full People tree |
|
|
|
# -> Servers can perform search on People tree |
|
|
|
- >- |
|
|
|
{2} to dn.exact=ou=People,{{ ldap_basedn }} |
|
|
|
{3} to dn.exact=ou=People,{{ ldap_basedn }} |
|
|
|
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read |
|
|
|
by dn.children=ou=Server,{{ ldap_basedn }} search |
|
|
|
by * none |
|
|
|
# [1.2] -> Admins can add/remove People entries |
|
|
|
- >- |
|
|
|
{3} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children |
|
|
|
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write |
|
|
|
by * none |
|
|
|
# [1.3] -> Admins can edit all People attributes |
|
|
|
# -> Servers can read all People attributes (except userPassword) |
|
|
|
# -> People can read all their attributes |
|
|
|