OpenDirectory
ACL
français | english
Navigation
Home
Sitemap
This wiki
This page

Access rights extension to the Open Directory @EPFL

 

Objective

1) Remove ALL full-administration-capable users !

2) Grant the right to users without administration capabilities to adding computers into computersgroups.

3) Grant the right to users without administration capabilities edit MCXSettings into computersgroups.

 

Context

Master Open Directory: OS X 10.9.4 & Server 3.1.2

Client: OS X 10.9.4

 

Added items to directory

For pilot project…

Users System Administrator of Computers sysadmin 1450 sysrole
Users Groups System Role sysrole 1450  
Computers        
Computers Groups Pilot Pool pilotpool 1450  

 

Procedure

1) Bind a trusted computer with Directory Utility.

 

 

Follow Up

1) usergroup creation by the faculty administrator with https://groups.epfl.ch/.

2) Receive usergroup name and desired computergroup name from the administrator.

3) computergroup creation by us.

4) ACL creation for grant the edit/modify rights (members and MCXSettingsto the computergroup by the usergroup.

5) include usergroup into com.apple.limited_admin group (for access with WGM).

 

New ACL rules script

#!/bin/sh
#
#             title: Règles DACL
#          subtitle: -
#           project: cn=Open Directory @ EPFL
# modification date: 8 septembre 2014
#     creation date: 26 august 2014
#           version: 0.6
            Version="0.6"
#         file name: .../ACLadd
#        dependence: .../ACLdel
#            author: Pascal Fabbri @ ÉpfL Domaine IT - Core Services (DIT-SB)
#             email: pascal.fabbri@epfl.ch
#     character set: UTF-8
#       description: Charge de nouvelles règles DACL au niveau OpenLDAP de
#                    l'infrastructure Open Directory. Une authentification comme
#                    administrateur de l’annuaire est nécessaire (exemple:
#                    kinit diradmin).
nc=`ldapsearch -x -LLL -b "" -s base namingContexts | awk '/namingContexts/ {print $2}'`
  # Naming Context: dc=moda,dc=epfl,dc=ch
hn=`ldapsearch -x -LLL -b "" -s base dNSHostName | awk '/dNSHostName/ {print $2}'`
  # Host Name: moda.epfl.ch
mg=sysrole
  # Groupe de gestionnaire
cg=pilotepool
  # Groupe de machine
 
 
ldapmodify  <<EOF
 
#
# Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to 
  dn.exact="cn=heureux,cn=computer_lists,dc=modb,dc=epfl,dc=ch"
    attrs=@apple-computer-list 
      by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write 
      by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write 
      by * read
 
#
# Seuls les membres du groupe «heurole» ont le privilège d'ajouter ou de retirer
# un membre au groupe de machines «heureux». Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to 
  dn.exact="cn=heureux,cn=computer_groups,dc=modb,dc=epfl,dc=ch"
    attrs=memberUid,apple-group-memberguid,apple-group-nestedgroup 
      by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write 
      by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write 
      by * read
 
#
# Seuls les membres du groupe «heurole» ont le privilège de gérer les
# préférences gérées (MCX) du groupe de machines «heureux». Ensemble de règle n°2.
#
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to 
  dn.exact="cn=heureux,cn=computer_groups,dc=modb,dc=epfl,dc=ch" 
    attrs=apple-mcxflags,apple-mcxsettings 
      by set="user/uid & [cn=heurole,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by set="user/uid & [cn=admin,cn=groups,dc=modb,dc=epfl,dc=ch]/memberUid" write 
      by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write 
      by dn.exact="cn=modb.epfl.ch$,cn=computers,dc=modb,dc=epfl,dc=ch" write 
      by * read
 
EOF
 
printf "%s\n\n" "done."
 
#----{end of script}---------------------------------------------------------
exit 0
Search
Share