====== Installer FusionDirectory sur CentOS 6 ======
Cette page est en cours de rédaction, les notes peuvent être incomplètes ou erronées
Dans ce how-to, nous allons mettre en place [[http://fusiondirectory.org|FusionDirectory]] pour gérer dans un annuaire LDAP
* Les groupes et utilisateurs
* Samba
* DHCP
* DNS
* les utilisateurs LDAP système (branche DSA)
Deux serveurs seront mis en place:
* Le premier exécutera OpenLDAP
* Le second hébergera l'interface de FusionDirectory
===== Prérequis =====
Deux serveurs (possible de tout déployer sur un seul également) sous CentOS 6.4 x86_64. Le dépôt EPEL est configuré et activé
===== Configuration des dépôts =====
Il faut ajouter le dépôt FusionFirectory
cat <<'EOF' > /etc/yum.repos.d/fusiondirectory.repo
[fusiondirectory]
name=Fusiondirectory Packages for RHEL / CentOS 6
baseurl=http://repos.fusiondirectory.org/rhel/6/noarch
enabled=1
gpgcheck=1
gpgkey=http://download.fusiondirectory.org/gpg/fusiondirectory_public.key
EOF
===== Préparer l'environnement =====
mkdir /etc/install
chmod 700 /etc/install
echo 'p@ssw0rd' > /etc/install/ldap.pw
echo 'Firewall Services' > /etc/install/ldap.org
echo 'dc=firewall-services,dc=com' > /etc/install/ldap.base
echo 'firewall-services' > /etc/install/ldap.topdc
echo 'files' > /etc/install/samba.netbios
echo 'FIREWALL.LOCAL' > /etc/install/samba.domain
echo 'firewall-services.com' > /etc/install/dnsdomain
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/samba.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/dhcp.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/unix.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/dns.pw
openssl rand -base64 33 | perl -pe 's/\//\./g' > /etc/install/ssh.pw
===== Installer OpenLDAP =====
Sur le serveur LDAP
* installer OpenLDAP:
yum install openldap-servers openldap-clients
* Installer les schemas
yum install fusiondirectory-schema
* Schema supplémentaires:
attributetype ( 2.16.840.1.38414.1.203.4.1
NAME 'dhcpPrimaryDN'
EQUALITY distinguishedNameMatch
DESC 'The DN of the dhcpServer which is the primary server for the configuration.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.2
NAME 'dhcpSecondaryDN'
EQUALITY distinguishedNameMatch
DESC 'The DN of dhcpServer(s) which provide backup service for the configuration.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.3
NAME 'dhcpStatements'
EQUALITY caseIgnoreIA5Match
DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.4
NAME 'dhcpRange'
EQUALITY caseIgnoreIA5Match
DESC 'The starting & ending IP Addresses in the range (inclusive), separated by a hyphen; if the range only contains one address, then just the address can be specified with no hyphen. Each range is defined as a separate value.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.5
NAME 'dhcpPermitList'
EQUALITY caseIgnoreIA5Match
DESC 'This attribute contains the permit lists associated with a pool. Each permit list is defined as a separate value.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.6
NAME 'dhcpNetMask'
EQUALITY integerMatch
DESC 'The subnet mask length for the subnet. The mask can be easily computed from this length.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.7
NAME 'dhcpOption'
EQUALITY caseIgnoreIA5Match
DESC 'Encoded option values to be sent to clients. Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.8
NAME 'dhcpClassData'
EQUALITY caseIgnoreIA5Match
DESC 'Encoded text string or list of bytes expressed in hexadecimal, separated by colons. Clients match subclasses based on matching the class data with the results of match or spawn with statements in the class name declarations.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.9
NAME 'dhcpOptionsDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of the dhcpOption objects containing the configuration options provided by the server.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.10
NAME 'dhcpHostDN'
EQUALITY distinguishedNameMatch
DESC 'the distinguished name(s) of the dhcpHost objects.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.11
NAME 'dhcpPoolDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of pools.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.12
NAME 'dhcpGroupDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of the groups.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.13
NAME 'dhcpSubnetDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of the subnets.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.14
NAME 'dhcpLeaseDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name of a client address.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE)
attributetype ( 2.16.840.1.38414.1.203.4.15
NAME 'dhcpLeasesDN'
DESC 'The distinguished name(s) client addresses.'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.16
NAME 'dhcpClassesDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of a class(es) in a subclass.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.17
NAME 'dhcpSubclassesDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of subclass(es).'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.18
NAME 'dhcpSharedNetworkDN'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name(s) of sharedNetworks.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.19
NAME 'dhcpServiceDN'
EQUALITY distinguishedNameMatch
DESC 'The DN of dhcpService object(s)which contain the configuration information. Each dhcpServer object has this attribute identifying the DHCP configuration(s) that the server is associated with.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.20
NAME 'dhcpVersion'
DESC 'The version attribute of this object.'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.21
NAME 'dhcpImplementation'
EQUALITY caseIgnoreIA5Match
DESC 'Description of the DHCP Server implementation e.g. DHCP Servers vendor.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.22
NAME 'dhcpAddressState'
EQUALITY caseIgnoreIA5Match
DESC 'This stores information about the current binding-status of an address. For dynamic addresses managed by DHCP, the values should be restricted to the following: "FREE", "ACTIVE", "EXPIRED", "RELEASED", "RESET", "ABANDONED", "BACKUP". For other addresses, it SHOULD be one of the following: "UNKNOWN", "RESERVED" (an address that is managed by DHCP that is reserved for a specific client), "RESERVED-ACTIVE" (same as reserved, but address is currently in use), "ASSIGNED" (assigned manually or by some other mechanism), "UNASSIGNED", "NOTASSIGNABLE".'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.23
NAME 'dhcpExpirationTime'
EQUALITY generalizedTimeMatch
DESC 'This is the time the current lease for an address expires.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.24
NAME 'dhcpStartTimeOfState'
EQUALITY generalizedTimeMatch
DESC 'This is the time of the last state change for a leased address.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.25
NAME 'dhcpLastTransactionTime'
EQUALITY generalizedTimeMatch
DESC 'This is the last time a valid DHCP packet was received from the client.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.26
NAME 'dhcpBootpFlag'
EQUALITY booleanMatch
DESC 'This indicates whether the address was assigned via BOOTP.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.27
NAME 'dhcpDomainName'
EQUALITY caseIgnoreIA5Match
DESC 'This is the name of the domain sent to the client by the server. It is essentially the same as the value for DHCP option 15 sent to the client, and represents only the domain - not the full FQDN. To obtain the full FQDN assigned to the client you must prepend the "dhcpAssignedHostName" to this value with a ".".'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.28
NAME 'dhcpDnsStatus'
EQUALITY integerMatch
DESC 'This indicates the status of updating DNS resource records on behalf of the client by the DHCP server for this address. The value is a 16-bit bitmask.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.29
NAME 'dhcpRequestedHostName'
EQUALITY caseIgnoreIA5Match
DESC 'This is the hostname that was requested by the client.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.30
NAME 'dhcpAssignedHostName'
EQUALITY caseIgnoreIA5Match
DESC 'This is the actual hostname that was assigned to a client. It may not be the name that was requested by the client. The fully qualified domain name can be determined by appending the value of "dhcpDomainName" (with a dot separator) to this name.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.31
NAME 'dhcpReservedForClient'
EQUALITY distinguishedNameMatch
DESC 'The distinguished name of a "dhcpClient" that an address is reserved for. This may not be the same as the "dhcpAssignedToClient" attribute if the address is being reassigned but the current lease has not yet expired.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.32
NAME 'dhcpAssignedToClient'
EQUALITY distinguishedNameMatch
DESC 'This is the distinguished name of a "dhcpClient" that an address is currently assigned to. This attribute is only present in the class when the address is leased.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.33
NAME 'dhcpRelayAgentInfo'
EQUALITY octetStringMatch
DESC 'If the client request was received via a relay agent, this contains information about the relay agent that was available from the DHCP request. This is a hex-encoded option value.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.34
NAME 'dhcpHWAddress'
EQUALITY caseIgnoreIA5Match
DESC 'The clients hardware address that requested this IP address.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.35
NAME 'dhcpHashBucketAssignment'
EQUALITY octetStringMatch
DESC 'HashBucketAssignment bit map for the DHCP Server, as defined in DHC Load Balancing Algorithm [RFC 3074].'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.36
NAME 'dhcpDelayedServiceParameter'
EQUALITY integerMatch
DESC 'Delay in seconds corresponding to Delayed Service Parameter configuration, as defined in DHC Load Balancing Algorithm [RFC 3074]. '
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.37
NAME 'dhcpMaxClientLeadTime'
EQUALITY integerMatch
DESC 'Maximum Client Lead Time configuration in seconds, as defined in DHCP Failover Protocol [FAILOVR]'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.38
NAME 'dhcpFailOverEndpointState'
EQUALITY caseIgnoreIA5Match
DESC 'Server (Failover Endpoint) state, as defined in DHCP Failover Protocol [FAILOVR]'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.39
NAME 'dhcpErrorLog'
EQUALITY caseIgnoreIA5Match
DESC 'Generic error log attribute that allows logging error conditions within a dhcpService or a dhcpSubnet, like no IP addresses available for lease.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.40
NAME 'dhcpLocatorDN'
EQUALITY distinguishedNameMatch
DESC 'The DN of dhcpLocator object which contain the DNs of all DHCP configuration objects. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.41
NAME 'dhcpKeyAlgorithm'
EQUALITY caseIgnoreIA5Match
DESC 'Algorithm to generate TSIG Key'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.42
NAME 'dhcpKeySecret'
EQUALITY octetStringMatch
DESC 'Secret to generate TSIG Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.43
NAME 'dhcpDnsZoneServer'
EQUALITY caseIgnoreIA5Match
DESC 'Master server of the DNS Zone'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 2.16.840.1.38414.1.203.4.44
NAME 'dhcpKeyDN'
EQUALITY distinguishedNameMatch
DESC 'The DNs of TSIG Key to use in secure dynamic updates. In case of locator object, this will be list of TSIG keys. In case of DHCP Service, Shared Network, Subnet and DNS Zone, it will be a single key.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
attributetype ( 2.16.840.1.38414.1.203.4.45
NAME 'dhcpZoneDN'
EQUALITY distinguishedNameMatch
DESC 'The DNs of DNS Zone. In case of locator object, this will be list of DNS Zones in the tree. In case of DHCP Service, Shared Network and Subnet, it will be a single DNS Zone.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
attributetype ( 2.16.840.1.38414.1.203.4.46
NAME 'dhcpFailOverPrimaryServer'
EQUALITY caseIgnoreIA5Match
DESC 'IP address or DNS name of the server playing primary role in DHC Load Balancing and Fail over.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.47
NAME 'dhcpFailOverSecondaryServer'
EQUALITY caseIgnoreIA5Match
DESC 'IP address or DNS name of the server playing secondary role in DHC Load Balancing and Fail over.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.38414.1.203.4.48
NAME 'dhcpFailOverPrimaryPort'
EQUALITY integerMatch
DESC 'Port on which primary server listens for connections from its fail over peer (secondary server)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.49
NAME 'dhcpFailOverSecondaryPort'
EQUALITY integerMatch
DESC 'Port on which secondary server listens for connections from its fail over peer (primary server)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.50
NAME 'dhcpFailOverResponseDelay'
EQUALITY integerMatch
DESC 'Maximum response time in seconds, before Server assumes that connection to fail over peer has failed'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.51
NAME 'dhcpFailOverUnackedUpdates'
EQUALITY integerMatch
DESC 'Number of BNDUPD messages that server can send before it receives BNDACK from its fail over peer'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.52
NAME 'dhcpFailOverSplit'
EQUALITY integerMatch
DESC 'Split between the primary and secondary servers for fail over purpose'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.53
NAME 'dhcpFailOverLoadBalanceTime'
EQUALITY integerMatch
DESC 'Cutoff time in seconds, after which load balance is disabled'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.38414.1.203.4.54
NAME 'dhcpFailOverPeerDN'
EQUALITY distinguishedNameMatch
DESC 'The DNs of Fail over peers. In case of locator object, this will be list of fail over peers in the tree. In case of Subnet and pool, it will be a single Fail Over Peer'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
#List of all servers in the tree
attributetype ( 2.16.840.1.38414.1.203.4.55
NAME 'dhcpServerDN'
EQUALITY distinguishedNameMatch
DESC 'List of all DHCP Servers in the tree. Used by dhcpLocatorObject'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.38414.1.203.4.56
NAME 'dhcpComments'
EQUALITY caseIgnoreIA5Match
DESC 'Generic attribute that allows coments within any DHCP object'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
# Classes
objectclass ( 2.16.840.1.38414.1.203.6.1
NAME 'dhcpService'
DESC 'Service object that represents the actual DHCP Service configuration. This is a container object.'
SUP top
MUST (cn)
MAY ( dhcpPrimaryDN $ dhcpSecondaryDN $ dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $dhcpComments $ dhcpOption) )
objectclass ( 2.16.840.1.38414.1.203.6.2
NAME 'dhcpSharedNetwork'
DESC 'This stores configuration information for a shared network.'
SUP top
MUST cn
MAY ( dhcpSubnetDN $ dhcpPoolDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpStatements $dhcpComments $ dhcpOption) X-NDS_CONTAINMENT ('dhcpService' ) )
objectclass ( 2.16.840.1.38414.1.203.6.3
NAME 'dhcpSubnet'
DESC 'This class defines a subnet. This is a container object.'
SUP top
MUST ( cn $ dhcpNetMask )
MAY ( dhcpRange $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $ dhcpKeyDN $ dhcpFailOverPeerDN $ dhcpStatements $ dhcpComments $ dhcpOption ) X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork') )
objectclass ( 2.16.840.1.38414.1.203.6.4
NAME 'dhcpPool'
DESC 'This stores configuration information about a pool.'
SUP top
MUST ( cn $ dhcpRange )
MAY ( dhcpClassesDN $ dhcpPermitList $ dhcpLeasesDN $ dhcpOptionsDN $ dhcpZoneDN $dhcpKeyDN $ dhcpStatements $ dhcpComments $ dhcpOption )
X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpSharedNetwork') )
objectclass ( 2.16.840.1.38414.1.203.6.5
NAME 'dhcpGroup'
DESC 'Group object that lists host DNs and parameters. This is a container object.'
SUP top
MUST cn
MAY ( dhcpHostDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption )
X-NDS_CONTAINMENT ('dhcpSubnet' 'dhcpService' ) )
objectclass ( 2.16.840.1.38414.1.203.6.6
NAME 'dhcpHost'
DESC 'This represents information about a particular client'
SUP top
MUST cn
MAY (dhcpLeaseDN $ dhcpHWAddress $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' 'dhcpGroup') )
objectclass ( 2.16.840.1.38414.1.203.6.7
NAME 'dhcpClass'
DESC 'Represents information about a collection of related clients.'
SUP top
MUST cn
MAY (dhcpSubClassesDN $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption)
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSubnet' ) )
objectclass ( 2.16.840.1.38414.1.203.6.8
NAME 'dhcpSubClass'
DESC 'Represents information about a collection of related classes.'
SUP top
MUST cn
MAY (dhcpClassData $ dhcpOptionsDN $ dhcpStatements $ dhcpComments $ dhcpOption) X-NDS_CONTAINMENT 'dhcpClass' )
objectclass ( 2.16.840.1.38414.1.203.6.9
NAME 'dhcpOptions'
DESC 'Represents information about a collection of options defined.'
SUP top AUXILIARY
MUST cn
MAY ( dhcpOption $ dhcpComments )
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet' 'dhcpPool' 'dhcpGroup' 'dhcpHost' 'dhcpClass' ) )
objectclass ( 2.16.840.1.38414.1.203.6.10
NAME 'dhcpLeases'
DESC 'This class represents an IP Address, which may or may not have been leased.'
SUP top
MUST ( cn $ dhcpAddressState )
MAY ( dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress )
X-NDS_CONTAINMENT ( 'dhcpService' 'dhcpSubnet' 'dhcpPool') )
objectclass ( 2.16.840.1.38414.1.203.6.11
NAME 'dhcpLog'
DESC 'This is the object that holds past information about the IP address. The cn is the time/date stamp when the address was assigned or released, the address state at the time, if the address was assigned or released.'
SUP top
MUST ( cn )
MAY ( dhcpAddressState $ dhcpExpirationTime $ dhcpStartTimeOfState $ dhcpLastTransactionTime $ dhcpBootpFlag $ dhcpDomainName $ dhcpDnsStatus $ dhcpRequestedHostName $ dhcpAssignedHostName $ dhcpReservedForClient $ dhcpAssignedToClient $ dhcpRelayAgentInfo $ dhcpHWAddress $ dhcpErrorLog)
X-NDS_CONTAINMENT ('dhcpLeases' 'dhcpPool' 'dhcpSubnet' 'dhcpSharedNetwork' 'dhcpService' ) )
objectclass ( 2.16.840.1.38414.1.203.6.12
NAME 'dhcpServer'
DESC 'DHCP Server Object'
SUP top AUXILIARY
MUST ( cn )
MAY (dhcpServiceDN $ dhcpLocatorDN $ dhcpVersion $ dhcpImplementation $ dhcpHashBucketAssignment $ dhcpDelayedServiceParameter $ dhcpMaxClientLeadTime $ dhcpFailOverEndpointState $ dhcpStatements $ dhcpComments $ dhcpOption)
X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
objectclass ( 2.16.840.1.38414.1.203.6.13
NAME 'dhcpTSigKey'
DESC 'TSIG key for secure dynamic updates'
SUP top
MUST (cn $ dhcpKeyAlgorithm $ dhcpKeySecret )
MAY ( dhcpComments )
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
objectclass ( 2.16.840.1.38414.1.203.6.14
NAME 'dhcpDnsZone'
DESC 'DNS Zone for updating leases'
SUP top
MUST (cn $ dhcpDnsZoneServer )
MAY (dhcpKeyDN $ dhcpComments)
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
objectclass ( 2.16.840.1.38414.1.203.6.15
NAME 'dhcpFailOverPeer'
DESC 'This class defines the Fail over peer'
SUP top
MUST ( cn $ dhcpFailOverPrimaryServer $ dhcpFailOverSecondaryServer $ dhcpFailoverPrimaryPort $ dhcpFailOverSecondaryPort) MAY (dhcpFailOverResponseDelay $ dhcpFailOverUnackedUpdates $ dhcpMaxClientLeadTime $ dhcpFailOverSplit $ dhcpHashBucketAssignment $ dhcpFailOverLoadBalanceTime $ dhcpComments )
X-NDS_CONTAINMENT ('dhcpService' 'dhcpSharedNetwork' 'dhcpSubnet') )
objectclass ( 2.16.840.1.38414.1.203.6.16
NAME 'dhcpLocator'
DESC 'Locator object for DHCP configuration in the tree. There will be a single dhcpLocator object in the tree with links to all the DHCP objects in the tree'
SUP top
MUST ( cn )
MAY ( dhcpServiceDN $dhcpServerDN $ dhcpSharedNetworkDN $ dhcpSubnetDN $ dhcpPoolDN $ dhcpGroupDN $ dhcpHostDN $ dhcpClassesDN $ dhcpKeyDN $ dhcpZoneDN $ dhcpFailOverPeerDN $ dhcpOption $ dhcpComments)
X-NDS_CONTAINMENT ('organization' 'organizationalunit' 'domain') )
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
RRSIGRecord $ NSECRecord ) )
##
## dsa-fd.schema - Needed by Fusion Directory for managing DSA
##
# Attributes
attributetype ( 1.3.6.1.4.1.38414.13.1.1 NAME 'fdDSARDN'
DESC 'FusionDirectory - DSA RDN'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE)
# Object Class
objectclass ( 1.3.6.1.4.1.38414.13.2.1 NAME 'fdDsaPluginConf'
DESC 'FusionDirectory dsa plugin configuration'
SUP top AUXILIARY
MUST ( cn )
MAY ( fdDSARDN ) )
##
## fd-samba-conf.schema - Needed by FusionDirectory Samba Plugin for its configuration
##
# Attributes
# Samba settings
attributetype ( 1.3.6.1.4.1.38414.9.1.1 NAME 'fdSambaMachineAccountRDN'
DESC 'FusionDirectory - Samba RDN'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.9.1.2 NAME 'fdSambaIdMapping'
DESC 'FusionDirectory - Samba id mapping'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.9.1.3 NAME 'fdSambaSID'
DESC 'FusionDirectory - Samba SID'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.9.1.4 NAME 'fdSambaRidBase'
DESC 'FusionDirectory - Samba rid base'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.9.1.5 NAME 'fdSambaExpirationSync'
DESC 'FusionDirectory - Samba expiration date synchronisation'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.9.1.6 NAME 'fdSambaGenLMPassword'
DESC 'FusionDirectory - Samba LMPassword activation'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# Object Class
objectclass ( 1.3.6.1.4.1.38414.9.2.1 NAME 'fdSambaPluginConf'
DESC 'FusionDirectory samba plugin configuration'
SUP top AUXILIARY
MUST ( )
MAY ( fdSambaMachineAccountRDN $ fdSambaIdMapping $
fdSambaSID $ fdSambaRidBase $ fdSambaExpirationSync $ fdSambaGenLMPassword) )
* Mise en place de la conf slapd
cat <<'EOF' > /etc/openldap/slapd.conf
sed -i -e "s/dc=firewall-services,dc=com/$(cat /etc/install/ldap.base)/g" \
-e "s/__SECRET__/$(cat /etc/install/ldap.pw)/g" /etc/openldap/slapd.conf
mkdir -p /var/lib/ldap/db_log
chown ldap:ldap /var/lib/ldap/db_log
chown 770 /var/lib/ldap/db_log
cat <<'EOF' > /var/lib/ldap/DB_CONFIG
#
# Set the database in memory cache size.
#
set_cachesize 0 2097152 0
#
# Set log values.
#
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097152
set_lg_dir /var/lib/ldap/db_log
EOF
dn: dc=firewall-services,dc=com
dc: firewall-services
o: Firewall Services
ou: firewall-services
description: firewall-services
objectClass: top
objectClass: organization
objectClass: dcObject
objectClass: gosaDepartment
sed -i -e "s/dc=firewall-services,dc=com/$(cat /etc/install/ldap.base)/g" \
-e "s/firewall-services/$(cat /etc/install/ldap.topdc)/g" ./init.ldif
slapadd -f init.ldif
chown -R ldap:ldap /var/lib/ldap/*
===== En vrac =====
options {
listen-on port 53 { 127.0.0.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;};
recursion no;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "firewall-services.com" IN {
type master;
database "ldap ldap://localhost/ou=servers,ou=systems,dc=firewall-services,dc=com????!bindname=cn=dns%2cou=DSA%2cdc=firewall-services%2cdc=com,!x-bindpw=__DNS_SECRET__ 172800";
};
zone "10.10.in-addr.arpa" IN {
type master;
database "ldap ldap://localhost/ou=servers,ou=systems,dc=firewall-services,dc=com????!bindname=cn=dns%2cou=DSA%2cdc=firewall-services%2cdc=com,!x-bindpw=__DNS_SECRET__ 172800";
};
server:
verbosity: 1
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
num-threads: 2
interface: 10.10.4.10
interface-automatic: no
do-ip6: no
access-control: 127.0.0.1 allow
access-control: 10.10.0.0/16 allow
chroot: ""
username: "unbound"
directory: "/etc/unbound"
log-time-ascii: yes
pidfile: "/var/run/unbound/unbound.pid"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: no
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/etc/unbound/root.anchor"
val-clean-additional: yes
val-permissive-mode: no
val-log-level: 1
include: /etc/unbound/local.d/*.conf
remote-control:
control-enable: no
stub-zone:
name: "firewall-services.com"
stub-addr: 127.0.0.1
forward-zone:
name: "."
forward-addr: 88.191.254.60
forward-addr: 88.191.254.70
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/fusiondirectory/rfc2307bis.schema
include /etc/openldap/schema/fusiondirectory/samba.schema
include /etc/openldap/schema/fusiondirectory/samba-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/core-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/core-fd.schema
include /etc/openldap/schema/fusiondirectory/ldapns.schema
include /etc/openldap/schema/fusiondirectory/recovery-fd.schema
include /etc/openldap/schema/fusiondirectory/dnszone.schema
include /etc/openldap/schema/fusiondirectory/dhcp-fd.schema
include /etc/openldap/schema/fusiondirectory/dsa-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/mime-fd.schema
include /etc/openldap/schema/fusiondirectory/service-fd.schema
include /etc/openldap/schema/fusiondirectory/systems-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/openssh-lpk.schema
include /etc/openldap/schema/fusiondirectory/systems-fd.schema
include /etc/openldap/schema/fusiondirectory/mail-fd.schema
include /etc/openldap/schema/fusiondirectory/mail-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/alias-fd-conf.schema
include /etc/openldap/schema/fusiondirectory/alias-fd.schema
password-hash {SSHA}
pidfile /var/run/openldap/slapd.pid
loglevel 256
modulepath /usr/lib64/openldap
moduleload back_hdb
moduleload memberof
database monitor
database hdb
mode 0600
suffix dc=firewall-services,dc=com
rootdn cn=admin,dc=firewall-services,dc=com
rootpw __LDAP_SECRET__
directory /var/lib/ldap
cachesize 10000
checkpoint 128 15
index uid,mail eq,sub
index cn,sn,givenName,ou pres,eq,sub
index objectClass pres,eq
index uidNumber,gidNumber,memberuid,member eq
index gosaSubtreeACL,gosaObject,gosaUser pres,eq
index sambaSID eq,sub
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index sambaSIDList eq
index zoneName eq
index relativeDomainName eq
index dhcpHWAddress eq
index dhcpClassData eq
index dhcpPrimaryDN eq
index dhcpSecondaryDN eq
index dhcpServerDN eq
index dhcpFailOverPeerDN eq
access to attrs=userPassword,sambaLmPassword,sambaNtPassword
by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
by anonymous auth
by self write
by * none
access to attrs=sambaAcctFlags,sambaBadPasswordCount,sambaBadPasswordTime,sambaKickoffTime,sambaLogoffTime,sambaLogonHours,sambaPasswordHistory,sambaSID,sambaPrimaryGroupSID,sambaPwdCanChange,sambaPwdLastSet,sambaPwdMustChange,sambaUserWorkstations,sambaSIDList,sambaGroupType,sambaMungedDial,sambaLogonHours,sambaLogonTime,sambaDomainName,sambaHomePath,sambaHomeDrive
by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
by self read
by * none
access to filter=(objectClass=sambaDomain)
by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
by * none
access to dn.subtree=ou=Computers,ou=systems,dc=firewall-services,dc=com
by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
by * none
access to attrs=loginShell,gidNumber,homeDirectory,uidNumber,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning
by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com write
by self read
by dn="cn=unix,ou=DSA,dc=firewall-services,dc=com" read
access to dn.subtree=ou=DSA,dc=firewall-services,dc=com
by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
by * none
access to dn.base=dc=firewall-services,dc=com
by * read
access to dn.subtree=ou=systems,dc=firewall-services,dc=com filter=(objectClass=dNSZone)
by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" write
by dn="cn=dns,ou=DSA,dc=firewall-services,dc=com" read
by * none
access to dn.regex="^.*,ou=(People|Groups),dc=firewall-services,dc=org"
by * read
access to *
by users read
by anonymous auth