dn: dc=georgetown, dc=edu changetype: modify replace: aci # # GUNS Enterprise Directory Service ACLs # ############################################################################################# # "Directory Managers" ACL # aci: (targetattr="*") (version 3.0; acl "Configuration Administrators"; allow (all) groupdn = "ldap:///cn=Directory_Managers,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot" ; ) # ############################################################################################# # CorpTime restricted controls - attributes # remember to use objectclass=ctcal* when auto user management is in place # otherwise, chicken/egg problem (5/19/2000) # aci: (targetattr = "objectclass || ctcal* || guservice*") (targetfilter = "(objectclass=guperson)") (version 3.0; acl "Corporate Time attributes"; allow (all) groupdn = "ldap:///cn=CorpTime System Operators,dc=georgetown,dc=edu" or userdn = "ldap:///cn=CorpTime Service Admin,dc=georgetown,dc=edu" ; ) # ############################################################################################# # CorpTime restricted controls - DIT # aci: (targetattr = "*") (target = "ldap:///*,ou=CorporateTime,dc=georgetown,dc=edu") (version 3.0; acl "Corporate Time DIT"; allow (all) groupdn = "ldap:///cn=CorpTime System Operators,dc=georgetown,dc=edu" or userdn = "ldap:///cn=CorpTime Service Admin,dc=georgetown,dc=edu" ; ) # ############################################################################################# # group management can be handled by the owners of the group # aci: (targetattr = "uniquemember") (version 3.0; acl "Group Membership by owners"; allow (write) userdnattr = "owner" or groupdnattr = "owner" ; ) # ############################################################################################# # temporary: netid office can delete reservedwords -- remove this when IA provides tool # 7/13/2000 aci: (target="ldap:///*,ou=reservedwords,dc=georgetown,dc=edu") (version 3.0; acl "NetID office can delete reservedwords"; allow (delete) groupdn = "ldap:///cn=NetID Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Secondary NetID adds # aci: (targetattr = "*") (targetfilter != "(| (gussn=*) (gualumniid=*) )") (target="ldap:///*,ou=People,dc=georgetown,dc=edu") (version 3.0; acl "Adding Secondary NetIDs"; allow (add) groupdn = "ldap:///cn=NetID Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Secondary NetID guref and gucampus # aci: (targetattr = "guref || gucampus") (targetfilter != "(| (gussn=*) (gualumniid=*) )") (version 3.0; acl "guRef/gucampus assignments"; allow (write) groupdn = "ldap:///cn=NetID Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # guType and other special attrs management # aci: (targetattr = "gutype || guservice") (version 3.0; acl "gutype and friends"; allow (write) groupdn = "ldap:///cn=NetID Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # guRadiusProfile management # aci: (targetattr = "guradiusprofile") (version 3.0; acl "guRadiusProfile"; allow (write) groupdn = "ldap:///cn=Remote Access Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # ou=Lists -- automatic management # aci: (targetattr = "*") (target="ldap:///*,ou=Lists,dc=georgetown,dc=edu") (version 3.0; acl "ou=Lists"; allow (all) userdn = "ldap:///cn=Autolist Administrator,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # ou=Aliases # aci: (targetattr = "cn || givenname || sn || uid || ou || guemailbox || guemailboxalternate || gurestrict || seealso || manager || description ") (target="ldap:///uid=*,ou=Aliases,dc=georgetown,dc=edu") (version 3.0; acl "ou=Aliases"; allow (all) groupdn = "ldap:///cn=Aliases Managers,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Password Changing # aci: (targetattr = "userPassword || gupwtimebomb || gutype" ) (version 3.0; acl "Password Changing"; allow (write) userdn = "ldap:///cn=PasswordChangeServiceAdmin,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=Password Resets,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Controlled access to the SSN # aci: (targetattr = "guSSN") (version 3.0; acl "SSN attribute"; allow (read, search, compare) groupdn = "ldap:///cn=ReadOnlyServiceAdmins,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=ReadOnlyAdmins,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # For those who require access to the uid/dn to provide authentication service only # This is usually for web servers like apache # aci: (targetattr="uid || dn || objectclass || guprimaryaffiliation || gupwtimebomb || gutype") (targetfilter != "(| (gudeleteflag=*) (guRestrict=AlumniClaim) )") (version 3.0; acl "UID->DN Mapping"; allow (read, search, compare) groupdn = "ldap:///cn=uidReadServiceAdmins,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Buckley - priv'd people and processes can see them. Processes so we can # still provide service and keep them hidden # aci: (targetattr="*") (targetfilter="(| (guRestrict=Buckley) (gudeleteflag=*) )") (version 3.0; acl "Buckley Restricted"; allow (read, search, compare) groupdn = "ldap:///cn=ReadOnlyAdmins,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=ReadOnlyServiceAdmins,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=Help Desk Professional Staff,ou=Specials, dc=georgetown,dc=edu" ; ) # ############################################################################################# # Special entries that are NOT process visible (remember: these are people only) # aci: (targetattr="*") (version 3.0; acl "UnRestricted - only people can see everything -- not processes"; allow (read, search, compare) groupdn = "ldap:///cn=ReadOnlyAdmins,ou=Specials,dc=georgetown,dc=edu" or groupdn = "ldap:///cn=Help Desk Professional Staff,ou=Specials, dc=georgetown,dc=edu" ; ) # ############################################################################################# # Special entries that are process visible # *inactive are not visible since we don't explicitly allow it aci: (targetattr="*") (targetfilter="(|(guType=list) (ou=ReservedWords) (gurestrict=NoDirPrint) (guprimaryaffiliation=Alumni))") (version 3.0; acl "Other Restricted - that processes can see"; allow (read, search, compare) groupdn = "ldap:///cn=ReadOnlyServiceAdmins,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # End User Self Service # aci: (targetattr=" userPassword || gupwtimebomb || mailAutoReplyMode || mailAutoReplyText || mailForwardingAddress || mailRoutingAddress || vacationStartDate || vacationEndDate ") (version 3.0; acl "User Self Modification"; allow (write) userdn = "ldap:///self" ; ) aci: (targetattr!="gussn || gualumniid") (version 3.0; acl "User Self Read"; allow (read,search,compare) userdn = "ldap:///self" ; ) # ############################################################################################# # Alumni Services - PCI in Dallas Texas, needs to see gualumniid as well as priv'd people # aci: (targetattr = "gualumniid") (targetfilter != "(| (gudeleteflag=*) )") (version 3.0; acl "gualumniid access"; allow (read,search,compare) groupdn = "ldap:///cn=ReadOnlyAdmins,ou=Specials,dc=georgetown,dc=edu" or userdn = "ldap:///uid=publishingconcepts,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Mail Quota # aci: (targetattr = "mailquota") (version 3.0; acl "Mail Quota"; allow (write) groupdn = "ldap:///cn=Help Desk Professional Staff,ou=Specials, dc=georgetown,dc=edu" ; ) # ############################################################################################# # Emailbox Administration # aci: (targetattr = " mail || mailhost || guEmailBox || guEmailBoxAlternate || guPrimaryAffiliation || guRestrict || mailAutoReplyMode || mailAutoReplyText || vacationStartDate || vacationEndDate ") (targetfilter != "(guRestrict=AlumniClaim)") (version 3.0; acl "Emailbox Services Admin"; allow (all) userdn = "ldap:///cn=EmailboxServiceAdmin,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # Webmail Related # mailDeliveryOption is needed but it doesn't appear # that the webmail interface wants to change this attribute -- # so, this is safe for now. WebMail should NEVER allow for # changing this attribute -- security hole if we allow it. # # changes here need to be reflected in Anonymous and DSGW aci also aci: (targetattr = " mailAutoReplyMode || mailAutoReplyText || mailDeliveryOption || mailForwardingAddress || mailRoutingAddress || mailAlternateAddress || nswmExtendedUserPrefs || vacationStartDate || vacationEndDate ") (targetfilter != "(| (guType=list) (guType=*inactive) (gudeleteflag=*) (gurestrict=EmailUnknown) (guRestrict=AlumniClaim) )") (version 3.0; acl "Web Mail Admin"; allow (all) userdn = "ldap:///uid=webmail,ou=Specials,dc=georgetown,dc=edu" ; ) # ############################################################################################# # if gutype == pwreset-disabled, then don't show it publicly, otherwise, no harm no foul # aci: (targetattr="gutype") (targetfilter!="(gutype=pwreset-disabled)") (version 3.0; acl "User Self Modification"; allow (read,search,compare) userdn = "ldap:///anyone" ; ) # this allows for password changes to remove gutype=pwreset-disabled aci: (targetattr="gutype") (targetfilter="(gutype=pwreset-disabled)") (version 3.0; acl "User Self Modification"; allow (read,write) userdn = "ldap:///self" ; ) ############################################################################################# # Anonymous Access # # changes here need to be reflected in WEBMAIL aci also aci: (targetattr != "userPassword || guSSN || replicacredentials || gualumniid || gupwtimebomb || gutype") (target!="ldap:///*,ou=ReservedWords,dc=georgetown,dc=edu") (targetfilter != "(| (guType=list) (guType=*inactive) (gudeleteflag=*) (gurestrict=NoDirPrint) (guRestrict=Buckley) (guRestrict=AlumniClaim) (guprimaryaffiliation=Alumni) )") (version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone" ; )