From ad6e2f6e9f8ddb37660391c93c7254b8c825ed78 Mon Sep 17 00:00:00 2001
From: Sistason <c3infra@sistason.de>
Date: Sat, 3 Apr 2021 16:38:08 +0200
Subject: [PATCH] update ACLs to allow for a user_connection of testadmin to
 manage users/groups.

This is an example implementation of writing ACLs for a user_connection.
---
 ansible-inventory.yml | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/ansible-inventory.yml b/ansible-inventory.yml
index 77a51a2..51a6a93 100644
--- a/ansible-inventory.yml
+++ b/ansible-inventory.yml
@@ -34,20 +34,37 @@ all:
         description: "Adminrechte im uffd Selfservice"
       acls:
       - >-
-        {0}to *
+        {0}to attrs=userPassword
+        by dn="cn=uffd,ou=system,dc=example,dc=com" =xw
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" =xw
+        by self =xw
+        by anonymous auth
+      - >-
+        {1}to attrs=shadowLastChange
+        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+      - >-
+        {2}to dn.subtree="ou=users,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by self write
+        by * read
       - >-
-        {1}to dn.children="ou=groups,dc=example,dc=com"
+        {3}to dn.children="ou=groups,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
       - >-
-        {2}to dn.children="ou=postfix,dc=example,dc=com"
+        {4}to dn.children="ou=postfix,dc=example,dc=com"
         by dn="cn=uffd,ou=system,dc=example,dc=com" write
-        by * break
-      - '{3}to attrs=userPassword by self write by anonymous auth by * none'
-      - '{4}to attrs=shadowLastChange by self write by * read'
-      - '{5}to * by * read'
+        by group="cn=uffd_admin,ou=groups,dc=example,dc=com" write
+        by * read
+#      - >-
+#        {5}to *
+#        by dn="cn=uffd,ou=system,dc=example,dc=com" write
+#        by dn="uid=testadmin,ou=users,dc=example,dc=com" write
+#        by * read
     certificates:
       disable_letsencrypt_account_registration: True
       certs:
-- 
GitLab