####################################################################### # # Access to accounts # ####################################################################### # only the user itself, the global admin, and the domain admin can # modify user passwords # required for authentication and changing password as user and admin access to dn.regex="^uid=([^,]+),ou=accounts,ou=([^,]+),dc=localdomain$" attrs=userPassword,userPKCS12 by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by anonymous auth by self write by * none # allow admins to add new accounts to the tree access to dn.regex="^ou=accounts,ou=([^,]+),dc=localdomain$" attrs=children by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write by * none # allow users readonly access to accounts in their own domain # access is limited to attributes of objectclass inetOrgPerson,mozillaAbPersonAlpha and evolutionPerson # used to display accounts in the addressbook access to dn.regex="ou=accounts,ou=([^,]+),dc=localdomain$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson by dn.children,expand="ou=accounts,ou=$1,dc=localdomain" read by users none break by * none # allow admin account access to accounts in their own domain # used to modify and add new accounts access to dn.regex="ou=accounts,ou=([^,]+),dc=localdomain$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson,@dbmailUser,@shadowAccount by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write by * none ####################################################################### # # Access to groups # ####################################################################### # allow admins to add new groups to the tree access to dn.regex="^ou=groups,ou=([^,]+),dc=localdomain$" attrs=children by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write by * none # allow admin account access to groups in their own domain # used to modify and add new groups access to dn.regex="^cn=([^,]+),ou=groups,ou=([^,]+),dc=localdomain$" attrs=entry,@posixGroup,@groupOfNames by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by * none ####################################################################### # # Access to personal addressbooks # ####################################################################### # allow admins to add new personal addressbooks to the tree access to dn.regex="^ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" attrs=children by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write by * none # allow admins to add new personal addressbooks # user can read the addressbooks only access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" attrs=entry by dn.exact,expand="uid=$1,ou=accounts,ou=$2,dc=localdomain" read by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by * none # allow user and egwadmin to manage personal addressbook entries access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),dc=localdomain$" by dn.exact,expand="uid=$1,ou=accounts,ou=$2,dc=localdomain" write by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by * none ####################################################################### # # Access to group addressbooks # ####################################################################### # allow admins to add new group addressbooks to the tree access to dn.regex="^ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" attrs=children by dn.exact,expand="cn=egwadmin,ou=$1,dc=localdomain" write by users none # allow admins to add new group addressbooks # groupmembers can read the addressbooks only access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" attrs=entry by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" read by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by * none # allow groups and egwadmin to manage group addressbook entries # by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" peername=127.0.0.1 write access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,ou=([^,]+),dc=localdomain$" by group.expand="cn=$1,ou=groups,ou=$2,dc=localdomain" write by dn.exact,expand="cn=egwadmin,ou=$2,dc=localdomain" write by * none