|
Navigation
 This wiki This page |
Access rights extension to the Open Directory @EPFL
Objective1) Remove ALL full-administration-capable users ! 2) Grant the right to users without administration capabilities to adding computers into computersgroups. 3) Grant the right to users without administration capabilities edit MCXSettings into computersgroups.
ContextMaster Open Directory: OS X 10.9.4 & Server 3.1.2 Client: OS X 10.9.4
Added items to directoryFor pilot project…
Procedure1) Bind a trusted computer with Directory Utility.
Follow Up1) usergroup creation by the faculty administrator with https://groups.epfl.ch/. 2) Receive usergroup name and desired computergroup name from the administrator. 3) computergroup creation by us. 4) ACL creation for grant the edit/modify rights (members and MCXSettings) to the computergroup by the usergroup. 5) include usergroup into com.apple.limited_admin group (for access with WGM).
New ACL rules script
#!/bin/sh
#
# title: Règles DACL
# subtitle: -
# project: cn=Open Directory @ EPFL
# modification date: 8 septembre 2014
# creation date: 26 august 2014
# version: 0.6
Version="0.6"
# file name: .../ACLadd
# dependence: .../ACLdel
# author: Pascal Fabbri @ ÉpfL Domaine IT - Core Services (DIT-SB)
# email: pascal.fabbri@epfl.ch
# character set: UTF-8
# description: Charge de nouvelles règles DACL au niveau OpenLDAP de
# l'infrastructure Open Directory. Une authentification comme
# administrateur de l’annuaire est nécessaire (exemple:
# kinit diradmin).
#
nc=`ldapsearch -x -LLL -b "" -s base namingContexts | awk '/namingContexts/ {print $2}'`
# Naming Context: dc=moda,dc=epfl,dc=ch
hn=`ldapsearch -x -LLL -b "" -s base dNSHostName | awk '/dNSHostName/ {print $2}'`
# Host Name: moda.epfl.ch
mg=sysrole
# Groupe de gestionnaire
cg=pilotepool
# Groupe de machine
ldapmodify <<EOF
#
# Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to
dn.exact="cn=heureux,cn=computer_lists,dc=modb,dc=epfl,dc=ch"
attrs=@apple-computer-list
by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write
by * read
#
# Seuls les membres du groupe «heurole» ont le privilège d'ajouter ou de retirer
# un membre au groupe de machines «heureux». Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to
dn.exact="cn=heureux,cn=computer_groups,dc=modb,dc=epfl,dc=ch"
attrs=memberUid,apple-group-memberguid,apple-group-nestedgroup
by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write
by * read
#
# Seuls les membres du groupe «heurole» ont le privilège de gérer les
# préférences gérées (MCX) du groupe de machines «heureux». Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to
dn.exact="cn=heureux,cn=computer_groups,dc=modb,dc=epfl,dc=ch"
attrs=apple-mcxflags,apple-mcxsettings
by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write
by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write
by * read
EOF
printf "%s\n\n" "done."
#----{end of script}---------------------------------------------------------
exit 0
|
Share |
