feat: add scana11y to ldap

2025-08-07 12:08:47 +02:00
parent 99b387fe8b
commit 0e91e1e7f5
1 changed files with 36 additions and 0 deletions
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -330,6 +330,42 @@ in {
        ];
      };

+      "olcDatabase={9}mdb".attrs = {
+        objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+
+        olcDatabase = "{9}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=scana11y,dc=com";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=pgpPublicKey
+              by self write
+              by anonymous read
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+          ''
+            {2}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+
      # "cn=module{0},cn=config" = {
      #   attrs = {
      #     objectClass = "olcModuleList";