However, make an exception for supplementaryGid=adm users for security
reasons (wouldn't want keyring-maint to be able to takeover a root
account).
The ACL gives writes to a non-existing group; this should be created,
e.g.
cn=Keyring Maintainers,ou=users,dc=debian,dc=org
objectClass: top
objectClass: groupOfNames
cn: Keyring Maintainers
member: uid=noodles,ou=users,dc=debian,dc=org
member: uid=gwolf,ou=users,dc=debian,dc=org
Signed-off-by: Peter Palfrader <peter@palfrader.org>
by dn="uid=sshdist,ou=users,@@DN@@" write
by * break
by dn="uid=sshdist,ou=users,@@DN@@" write
by * break
+# allow keyring maint to write to the keyFingerPrint attribute
+# (make an exception for adm for security reasons)
+access to filter="(!(supplementaryGid=adm))" attrs=keyFingerPrint
+ by dn="cn=Keyring Maintainers,ou=users,@@DN@@" write
+ by * break
+
# allow users write access to an explicit subset of their fields
access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,bATVToken
by self write
# allow users write access to an explicit subset of their fields
access to attrs=c,l,loginShell,ircNick,labeledURI,icqUIN,jabberJID,onVacation,birthDate,mailDisableMessage,gender,emailforward,mailCallout,mailGreylisting,mailRBL,mailRHSBL,mailWhitelist,mailContentInspectionAction,mailDefaultOptions,facsimileTelephoneNumber,telephoneNumber,postalAddress,postalCode,loginShell,onVacation,privateSub,latitude,longitude,VoIP,userPassword,sudoPassword,bATVToken
by self write