summaryrefslogtreecommitdiff
path: root/hosted-kolab/replace-aci
diff options
context:
space:
mode:
Diffstat (limited to 'hosted-kolab/replace-aci')
-rwxr-xr-xhosted-kolab/replace-aci170
1 files changed, 170 insertions, 0 deletions
diff --git a/hosted-kolab/replace-aci b/hosted-kolab/replace-aci
new file mode 100755
index 0000000..8d21d3b
--- /dev/null
+++ b/hosted-kolab/replace-aci
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+. ./settings.sh
+
+(
+ echo "dn: ${domain_base_dn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (target = \"ldap:///associateddomain=*,${domain_base_dn}\")(targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Domain Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: ${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain OU Registration\"; allow (add,write)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: associateddomain=self-reg.tld,${domain_base_dn}"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=self-reg.tld,${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "inetDomainStatus: active"
+ echo "objectClass: top"
+ echo "objectClass: domainrelatedobject"
+ echo "objectClass: inetdomain"
+ echo "associatedDomain: self-reg.tld"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems
+
+export hosted_domain="self-reg.tld"
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: ${hosted_domain}"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+
+ echo "dn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: admin-user"
+ echo ""
+
+ echo "dn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: activesync-user"
+ echo ""
+
+ echo "dn: cn=imap-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: imap-user"
+ echo ""
+
+ echo "dn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: kolab-user"
+ echo ""
+
+ echo "dn: cn=xmpp-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: xmpp-user"
+ echo ""
+
+ echo "dn: ou=Groups,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Groups"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=People,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: People"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Resources,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Resources"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Shared Folders,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Shared Folders"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: uid=kanarip@self-reg.tld,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectClass: top"
+ echo "objectClass: inetorgperson"
+ echo "objectClass: kolabinetorgperson"
+ echo "objectClass: mailrecipient"
+ echo "objectClass: organizationalperson"
+ echo "objectClass: country"
+ echo "objectClass: person"
+ echo "givenName: Jeroen"
+ echo "mailQuota: 1048576"
+ echo "preferredLanguage: en_US"
+ echo "sn: van Meeuwen"
+ echo "cn: Jeroen van Meeuwen"
+ echo "displayName: van Meeuwen, Jeroen"
+ echo "mail: kanarip@self-reg.tld"
+ echo "uid: kanarip@self-reg.tld"
+ echo "mailHost: localhost"
+ echo "c: CH"
+ echo "userPassword: ${default_user_password}"
+ echo "nsroledn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "nsroledn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "nsroledn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c