summaryrefslogtreecommitdiff
path: root/hosted-kolab/06-add-self-reg-hosted-domain.sh
blob: 2144b14e8eb989dbc6fb387a1c2d6e73da543a0f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash

. ./settings.sh

(
    echo "dn: associateddomain=${hosted_domain},${domain_base_dn}"
    echo "objectclass: top"
    echo "objectclass: domainrelatedobject"
    echo "objectclass: inetdomain"
    echo "associateddomain: ${hosted_domain}"
    echo "inetdomainstatus: active"
    echo "inetdomainbasedn: dc=mykolab,dc=com"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)"
    echo ""

    for domain in kolabnow.com swisscollab.ch mykolab.ch; do
        echo "dn: associateddomain=${domain},${domain_base_dn}"
        echo "objectclass: top"
        echo "objectclass: domainrelatedobject"
        echo "objectclass: inetdomain"
        echo "associateddomain: ${domain}"
        echo "inetdomainstatus: active"
        echo "inetdomainbasedn: dc=mykolab,dc=com"
        echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)"
        echo ""
    done

    echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config"
    echo "objectClass: top"
    echo "objectClass: extensibleObject"
    echo "objectClass: nsMappingTree"
    echo "nsslapd-state: backend"
    echo "cn: ${hosted_domain_rootdn}"
    echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
    echo ""

    echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config"
    echo "objectClass: top"
    echo "objectClass: extensibleobject"
    echo "objectClass: nsbackendinstance"
    echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
    echo "nsslapd-suffix: ${hosted_domain_rootdn}"
    echo "nsslapd-cachesize: -1"
    echo "nsslapd-cachememsize: 10485760"
    echo "nsslapd-readonly: off"
    echo "nsslapd-require-index: off"
    echo "nsslapd-directory: /var/lib/dirsrv/slapd-$(hostname -s)/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')"
    echo "nsslapd-dncachememsize: 10485760"
    echo ""

) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c

(
    echo "dn: ${hosted_domain_rootdn}"
    echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
    echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
    echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
    echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
    echo "aci: (targetattr =\"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=kolab-admin,${rootdn}\");)"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
    echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)"
    echo "objectClass: top"
    echo "objectClass: domain"
    echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
    echo ""
) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"

(
    echo "dn: ou=Groups,${hosted_domain_rootdn}"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
    echo "ou: Groups"
    echo "objectClass: top"
    echo "objectClass: organizationalunit"
    echo ""

    echo "dn: ou=People,${hosted_domain_rootdn}"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Allow Hosted Kolab Service\"; allow (search,add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
    echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Allow Kolab Service\"; allow (read,search,compare)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Self Search Access\";allow (read,compare,search)(userdn = \"ldap:///self\");)"
    echo "ou: People"
    echo "objectClass: top"
    echo "objectClass: organizationalunit"
    echo ""

    echo "dn: ou=Special Users,${hosted_domain_rootdn}"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
    echo "ou: Special Users"
    echo "objectClass: top"
    echo "objectClass: organizationalunit"
    echo ""

    echo "dn: ou=Resources,${hosted_domain_rootdn}"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
    echo "ou: Resources"
    echo "objectClass: top"
    echo "objectClass: organizationalunit"
    echo ""

    echo "dn: ou=Shared Folders,${hosted_domain_rootdn}"
    echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
    echo "ou: Shared Folders"
    echo "objectClass: top"
    echo "objectClass: organizationalunit"
    echo ""

) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"