debian-edu-config 1.818+deb8u2 / etc / ldap / root.ldif

## gosaAclEntry 0: contains the ACL for the gosa ldap super-admin
## defined in gosa.ldif; the cryptic string is the dn of the
## corresponding user in base64 encoding, compare:
## echo -n "uid=super-admin,ou=people,dc=skole,dc=skolelinux,dc=no" | base64
##

## gosaAclEntry 1: All users in the teachers group are allowed to read
## all personal data.
## echo -n "cn=teachers,ou=group,ou=Teachers,dc=skole,dc=skolelinux,dc=no" | base64 -w0
##
## gosaAclEntry 2:  compare: echo -n "*" | base64
## All users are allowed to change some personal data and their password.
## If you prefer a default user is allowed to only change his password use: 
##     gosaAclEntry: 1:psub:Kg==:users/password;srw
##
## gosaAclEntry 3: predefined admin role defined in: 
## echo -n "cn=admin,ou=aclroles,dc=skole,dc=skolelinux,dc=no" | base64 -w0
## (no default members)
##
dn: dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: dcObject
objectClass: labeledURIObject
objectClass: organization
objectClass: gosaAcl
objectClass: gosaDepartment
description: Debian-Edu
dc: skole
ou: skole
o: skole.skolelinux.no
labeledURI: http://www/ LDAP for Debian Edu/Skolelinux
gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r
gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
gosaAclEntry: 3:role:$ADMINROLEDN64:

dn: ou=attic,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: attic

dn: ou=people,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
objectClass: labeledURIObject
ou: people

dn: ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: systems

dn: ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: organizationalUnit
ou: workstations

dn: ou=terminals,ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: organizationalUnit
ou: terminals

dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: organizationalUnit
ou: printers

dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: winstations

dn: ou=group,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: group

dn: ou=variables,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: variables

dn: ou=ldap-access,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: ldap-access

dn: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalRole
objectClass: gosaAccount
objectClass: simpleSecurityObject
cn: admin
uid: admin
description: LDAP Administrator
userPassword: $ROOTPWDSSHAHASH

#
# MOVED TO samba.ldif...
# The SAMBA SID calculation for groups is Group RID = GID*2 + 1001
#
#dn: cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no
#objectClass: top
#objectClass: posixGroup
#objectClass: sambaGroupMapping
#cn: admins
#description: All system administrators in the institution
#gidNumber: 10001
#sambaSID: $SAMBASID-21003
#sambaGroupType: 2
#displayName: Domain Admins
#
#dn: cn=jradmins,ou=group,dc=skole,dc=skolelinux,dc=no
#objectClass: top
#objectClass: posixGroup
#objectClass: sambaGroupMapping
#cn: jradmins
#description: All junior admins in the institution
#gidNumber: 10002
#sambaSID: $SAMBASID-21005
#sambaGroupType: 2
#displayName: jradmins

dn: cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: gosa-admin
description: LDAP administrator used by gosa
userPassword: $GOSAPWDHASH

dn: ou=samba,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: samba

dn: cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: smbadmin
description: Samba Administrator
userPassword: $SAMBAPWDHASH

dn: cn=ldap-admins,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: groupOfNames
cn: ldap-admins
description: All system administrators with full LDAP access
member: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
member: cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no

# This group is not used, as GOsa uses LDAP bind to authenticate
# users.
# FIXME See if this is still true after Squeeze.
#dn: cn=ldap-auth,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
#objectClass: top
#objectClass: groupOfNames
#cn: ldap-auth
#description: Users allowed to authenticate using LDAP instead of Kerberos
#member: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
#member: cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
#member: cn=kadmin-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no
#member: cn=kdc-service,cn=kerberos,dc=skole,dc=skolelinux,dc=no
#member: cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no
#member: uid=super-admin,ou=people,dc=skole,dc=skolelinux,dc=no