update ACLs to allow for a user_connection of testadmin to manage users/groups.

This is an example implementation of writing ACLs for a user_connection.

ansible-inventory.yml

@@ -34,20 +34,37 @@ all:
         description: "Adminrechte im uffd Selfservice"
       acls:
       - >-
-        {0}to *
+        {0}to attrs=userPassword
+        by dn="cn=uffd,ou=system,dc=example,dc=com" =xw
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" =xw
+        by self =xw
+        by anonymous auth
+      - >-
+        {1}to attrs=shadowLastChange
+        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+      - >-
+        {2}to dn.subtree="ou=users,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+        by * read
       - >-
-        {1}to dn.children="ou=groups,dc=example,dc=com"
+        {3}to dn.children="ou=groups,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
       - >-
-        {2}to dn.children="ou=postfix,dc=example,dc=com"
+        {4}to dn.children="ou=postfix,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
-      - '{3}to attrs=userPassword by self write by anonymous auth by * none'
-      - '{4}to attrs=shadowLastChange by self write by * read'
-      - '{5}to * by * read'
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
+#      - >-
+#        {5}to *
+#        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+#        by dn="uid=testadmin,ou=users,dc=example,dc=com" write
+#        by * read
     certificates:
       disable_letsencrypt_account_registration: True
       certs: