X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=userdir-ldap-slapd.conf.in;h=56531550b498efeb54588aeba9e74fc14362835b;hb=4013d4fb240dc49c0262952f156794d63462e796;hp=f586e398498b0d74e160979536276d1110eca004;hpb=a3437bcd185d533199ebd7c3e0f69b816cc904af;p=mirror%2Fuserdir-ldap.git

diff --git a/userdir-ldap-slapd.conf.in b/userdir-ldap-slapd.conf.in
index f586e39..5653155 100644
--- a/userdir-ldap-slapd.conf.in
+++ b/userdir-ldap-slapd.conf.in
@@ -1,5 +1,5 @@
 # The backend type, ldbm, is the default standard
-database bdb
+database hdb
 
 # The base of your directory
 suffix          "@@DN@@"
@@ -18,50 +18,38 @@ sizelimit 10000
 # Save the time that the entry gets modified
 lastmod on
 
-# owner writeable
-access to attrs=userPassword,sudoPassword
+# LDAP admins have full access, so has sshdist
+access to *
 	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@"  write
+	by dn="uid=sshdist,ou=users,@@DN@@" write
+	by * break
+
+# allow users write access to an explicit subset of their fields
+access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,bATVToken
 	by self write
+	by * break
+
+# owner writeable
+access to attrs=userPassword,sudoPassword,bATVToken
 	by * compare
 
 access to attrs=sshrsaauthkey
-	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@"  write
 	by self read
 	by * compare
 
-# debian readable
-access to attrs=activity-pgp,activity-from,dnsZoneEntry
-	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@" write
+# debian.org readable, authenticated user readable
+access to attrs=activity-pgp,activity-from,dnsZoneEntry,c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions
 	by peername.ip=127.0.0.1 read
 	by domain=alioth.debian.org none
 	by domain.subtree=@@DOMAIN@@ read
 	by dn.regex="uid=.*,ou=users,@@DN@@" read
 	by * none
 
-# owner writeable, debian readable, authenticated user readable
-access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction
-	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@" write
-	by self write
-	by dn.regex="uid=.*,ou=users,@@DN@@" read
-	by peername.ip=127.0.0.1 read
-	by domain=alioth.debian.org none
-	by domain.subtree=@@DOMAIN@@ read
-	by * none
-
 # owner writeable, authenticated user readable
 access to attrs=facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP
-	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@" write
-	by self write
 	by dn.regex="uid=.*,ou=users,@@DN@@" read
 	by * none
 
 # globally readable
 access to *
-	by group="cn=LDAP Administrator,ou=users,@@DN@@" write
-	by dn="uid=sshdist,ou=users,@@DN@@" write
 	by * read