From 5b65f8f21a2f1694c0c4f174573f8bdea19a0f0a Mon Sep 17 00:00:00 2001 From: Lars Kneschke Date: Tue, 15 May 2007 04:04:38 +0000 Subject: [PATCH] bumped phpgwapi version number for new release and added working ldap acl example for egw ldap addressbook --- phpgwapi/doc/ldap/acl_egw_addressbook.conf | 113 +++++++++++++++++++++ phpgwapi/setup/setup.inc.php | 2 +- phpgwapi/setup/tables_update.inc.php | 7 ++ 3 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 phpgwapi/doc/ldap/acl_egw_addressbook.conf diff --git a/phpgwapi/doc/ldap/acl_egw_addressbook.conf b/phpgwapi/doc/ldap/acl_egw_addressbook.conf new file mode 100644 index 0000000000..df884e0a44 --- /dev/null +++ b/phpgwapi/doc/ldap/acl_egw_addressbook.conf @@ -0,0 +1,113 @@ +####################################################################### +# +# Access to accounts +# +####################################################################### + +# only the user itself, the global admin, and the domain admin can +# modify user passwords +# required for authentication and changing password as user and admin +access to dn.regex="^uid=([^,]+),ou=accounts,ou=([^,]+),dc=localdomain$" + attrs=userPassword,userPKCS12 + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by anonymous auth + by self write + by * none + +# allow admins to add new accounts to the tree +access to dn.regex="^ou=accounts,ou=([^,]+),dc=localdomain$" + attrs=children + by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write + by * none + +# allow users readonly access to accounts in their own domain +# access is limited to attributes of objectclass inetOrgPerson,mozillaAbPersonAlpha and evolutionPerson +# used to display accounts in the addressbook +access to dn.regex="ou=accounts,ou=([^,]+),dc=localdomain$" + attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson + by dn.children,expand="ou=accounts,ou=$1,dc=localdomain" read + by users none break + by * none + +# allow admin account access to accounts in their own domain +# used to modify and add new accounts +access to dn.regex="ou=accounts,ou=([^,]+),dc=localdomain$" + attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson,@dbmailUser,@shadowAccount + by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write + by * none + + +####################################################################### +# +# Access to groups +# +####################################################################### + + +# allow admins to add new groups to the tree +access to dn.regex="^ou=groups,ou=([^,]+),dc=localdomain$" + attrs=children + by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write + by * none + +# allow admin account access to groups in their own domain +# used to modify and add new groups +access to dn.regex="^cn=([^,]+),ou=groups,ou=([^,]+),dc=localdomain$" + attrs=entry,@posixGroup,@groupOfNames + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by * none + + +####################################################################### +# +# Access to personal addressbooks +# +####################################################################### + +# allow admins to add new personal addressbooks to the tree +access to dn.regex="^ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" + attrs=children + by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write + by * none + +# allow admins to add new personal addressbooks +# user can read the addressbooks only +access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" + attrs=entry + by dn.exact,expand="uid=$1,ou=accounts,ou=$2,dc=localdomain" read + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by * none + +# allow user and egwadmin to manage personal addressbook entries +access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" + by dn.exact,expand="uid=$1,ou=accounts,ou=$2,dc=localdomain" write + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by * none + +####################################################################### +# +# Access to group addressbooks +# +####################################################################### + +# allow admins to add new group addressbooks to the tree +access to dn.regex="^ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" + attrs=children + by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write + by users none + +# allow admins to add new group addressbooks +# groupmembers can read the addressbooks only +access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" + attrs=entry + by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" read + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by * none + +# allow groups and egwadmin to manage group addressbook entries +# by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" peername=127.0.0.1 write +access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" + by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" write + by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write + by * none + diff --git a/phpgwapi/setup/setup.inc.php b/phpgwapi/setup/setup.inc.php index d9b4aa0717..194b400b0f 100755 --- a/phpgwapi/setup/setup.inc.php +++ b/phpgwapi/setup/setup.inc.php @@ -14,7 +14,7 @@ /* Basic information about this app */ $setup_info['phpgwapi']['name'] = 'phpgwapi'; $setup_info['phpgwapi']['title'] = 'eGroupWare API'; - $setup_info['phpgwapi']['version'] = '1.3.021'; + $setup_info['phpgwapi']['version'] = '1.3.022'; $setup_info['phpgwapi']['versions']['current_header'] = '1.28'; $setup_info['phpgwapi']['enable'] = 3; $setup_info['phpgwapi']['app_order'] = 1; diff --git a/phpgwapi/setup/tables_update.inc.php b/phpgwapi/setup/tables_update.inc.php index a20d7b4dcb..535637d68e 100644 --- a/phpgwapi/setup/tables_update.inc.php +++ b/phpgwapi/setup/tables_update.inc.php @@ -778,4 +778,11 @@ return $GLOBALS['setup_info']['phpgwapi']['currentver'] = '1.3.021'; } + + $test[] = '1.3.021'; + function phpgwapi_upgrade1_3_021() + { + # 1.4 Beta RC 1 + return $GLOBALS['setup_info']['phpgwapi']['currentver'] = '1.3.022'; + } ?>