diff --git a/docker-compose.yml b/docker-compose.yml index 99b5875d..fc4765fa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,280 +1,301 @@ version: '3' services: coturn: build: context: ./docker/coturn/ container_name: kolab-coturn healthcheck: interval: 10s test: "kill -0 $$(cat /tmp/turnserver.pid)" timeout: 5s retries: 30 environment: - TURN_PUBLIC_IP=${COTURN_PUBLIC_IP} - TURN_LISTEN_PORT=3478 - TURN_STATIC_SECRET=${COTURN_STATIC_SECRET} hostname: sturn.mgmt.com image: kolab-coturn network_mode: host restart: on-failure tty: true kolab: build: context: ./docker/kolab/ container_name: kolab privileged: true depends_on: mariadb: condition: service_healthy pdns: condition: service_healthy extra_hosts: - "kolab.mgmt.com:127.0.0.1" environment: - LDAP_HOST=127.0.0.1 - LDAP_ADMIN_BIND_DN="cn=Directory Manager" - LDAP_ADMIN_BIND_PW=Welcome2KolabSystems - DB_HOST=mariadb - DB_ROOT_PASSWORD=Welcome2KolabSystems - DB_HKCCP_DATABASE=${DB_DATABASE} - DB_HKCCP_USERNAME=${DB_USERNAME} - DB_HKCCP_PASSWORD=${DB_PASSWORD} - DB_KOLAB_DATABASE=kolab - DB_KOLAB_USERNAME=kolab - DB_KOLAB_PASSWORD=Welcome2KolabSystems - DB_RC_USERNAME=roundcube - DB_RC_PASSWORD=Welcome2KolabSystems - SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?err} - SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err} - SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?err} - IMAP_HOST=127.0.0.1 - IMAP_PORT=11993 - MAIL_HOST=127.0.0.1 - MAIL_PORT=10587 healthcheck: interval: 10s test: test -f /tmp/kolab-init.done timeout: 5s retries: 30 # This makes docker's dns, resolve via pdns for this container. # Please note it does not affect /etc/resolv.conf dns: 172.18.0.11 hostname: kolab.mgmt.com image: kolab networks: kolab: ipv4_address: 172.18.0.5 ports: - "12143:12143" tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./ext/:/src/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro - ./docker/certs/ca.cert:/etc/pki/tls/certs/ca.cert:ro - ./docker/certs/ca.cert:/etc/pki/ca-trust/source/anchors/ca.cert:ro - ./docker/certs/kolab.hosted.com.cert:${KOLAB_SSL_CERTIFICATE:?err} - ./docker/certs/kolab.hosted.com.chain.pem:${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err} - ./docker/certs/kolab.hosted.com.key:${KOLAB_SSL_CERTIFICATE_KEY:?err} - ./docker/kolab/utils:/root/utils:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro - imap:/imapdata - ldap:/ldapdata + ldap: + build: + context: ./docker/ds389/ + container_name: kolab-ldap + environment: + - DS_DM_PASSWORD=Welcome2KolabSystems + - DS_SUFFIX_NAME="dc=mgmt,dc=com" + healthcheck: + interval: 10s + test: /usr/libexec/dirsrv/dscontainer -H + timeout: 5s + retries: 30 + image: kolab-ldap + ports: + - "3389:3389" + - "3636:3636" + networks: + - kolab + volumes: + - ldap2:/data mariadb: container_name: kolab-mariadb environment: - MARIADB_ROOT_PASSWORD=Welcome2KolabSystems - TZ="+02:00" - DB_HKCCP_DATABASE=${DB_DATABASE} - DB_HKCCP_USERNAME=${DB_USERNAME} - DB_HKCCP_PASSWORD=${DB_PASSWORD} healthcheck: interval: 10s test: test -e /var/run/mysqld/mysqld.sock timeout: 5s retries: 30 image: mariadb:latest networks: - kolab volumes: - ./docker/mariadb/mysql-init/:/docker-entrypoint-initdb.d/ - mariadb:/var/lib/mysql haproxy: build: context: ./docker/haproxy/ healthcheck: interval: 10s test: "kill -0 $$(cat /var/run/haproxy.pid)" timeout: 5s retries: 30 container_name: kolab-haproxy hostname: haproxy.hosted.com image: kolab-haproxy networks: - kolab tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro pdns: build: context: ./docker/pdns/ container_name: kolab-pdns hostname: pdns depends_on: mariadb: condition: service_healthy healthcheck: interval: 10s test: "systemctl status pdns || exit 1" timeout: 5s retries: 30 image: kolab-pdns networks: kolab: ipv4_address: 172.18.0.11 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro proxy: build: context: ./docker/proxy/ args: APP_WEBSITE_DOMAIN: ${APP_WEBSITE_DOMAIN:?err} SSL_CERTIFICATE: ${PROXY_SSL_CERTIFICATE:?err} SSL_CERTIFICATE_KEY: ${PROXY_SSL_CERTIFICATE_KEY:?err} healthcheck: interval: 10s test: "kill -0 $$(cat /run/nginx.pid)" timeout: 5s retries: 30 container_name: kolab-proxy hostname: proxy image: kolab-proxy extra_hosts: - "meet:${MEET_LISTENING_HOST}" networks: kolab: ipv4_address: 172.18.0.7 tmpfs: - /run - /tmp - /var/run - /var/tmp tty: true volumes: - ./docker/certs/:/etc/certs/:ro - /etc/letsencrypt/:/etc/letsencrypt/:ro ports: # - "80:80" - "443:443" - "465:465" - "587:587" - "143:143" - "993:993" redis: build: context: ./docker/redis/ healthcheck: interval: 10s test: "redis-cli ping || exit 1" timeout: 5s retries: 30 container_name: kolab-redis hostname: redis image: redis networks: - kolab volumes: - ./docker/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro # ports: # - "6379:6379" swoole: build: context: ./docker/swoole/ container_name: kolab-swoole image: apheleia/swoole:4.8.x webapp: build: context: ./docker/webapp/ container_name: kolab-webapp image: kolab-webapp healthcheck: interval: 10s test: "/src/kolabsrc/artisan octane:status || exit 1" timeout: 5s retries: 30 depends_on: kolab: condition: service_healthy redis: condition: service_healthy networks: - kolab volumes: - ./src:/src/kolabsrc.orig:ro ports: - "8000:8000" tests: build: context: ./docker/tests/ container_name: kolab-tests image: kolab-tests depends_on: kolab: condition: service_healthy networks: - kolab volumes: - ./src:/src/kolabsrc.orig:ro meet: build: context: ./docker/meet/ healthcheck: interval: 10s test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://${MEET_LISTENING_HOST}:12443/meetmedia/api/health || exit 1" timeout: 5s retries: 30 environment: - WEBRTC_LISTEN_IP=${MEET_WEBRTC_LISTEN_IP:?err} - PUBLIC_DOMAIN=${MEET_PUBLIC_DOMAIN:?err} - LISTENING_HOST=${MEET_LISTENING_HOST:?err} - LISTENING_PORT=12443 - TURN_SERVER=${MEET_TURN_SERVER} - TURN_STATIC_SECRET=${COTURN_STATIC_SECRET} - AUTH_TOKEN=${MEET_SERVER_TOKEN:?err} - WEBHOOK_TOKEN=${MEET_WEBHOOK_TOKEN:?err} - WEBHOOK_URL=${APP_PUBLIC_URL:?err}/api/webhooks/meet - SSL_CERT=/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN:?err}.cert - SSL_KEY=/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN:?err}.key network_mode: host container_name: kolab-meet image: kolab-meet volumes: - ./meet/server:/src/meet/:ro - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.cert:/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN}.cert - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.key:/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN}.key networks: kolab: driver: bridge ipam: config: - subnet: "172.18.0.0/24" volumes: mariadb: imap: ldap: + ldap2: diff --git a/docker/ds389/00core.ldif b/docker/ds389/00core.ldif new file mode 100644 index 00000000..e698990e --- /dev/null +++ b/docker/ds389/00core.ldif @@ -0,0 +1,893 @@ +# 00core.ldif - Required Schema +# +# Contains standard schema from the following sources: +# +# - RFC 4512 +# - RFC 4519 +# - LDAP Subentry Internet Draft +# +# The DS specific "aci" attribute is also defined here so we can +# set a default aci # on the schema entry. +# +# NOTE: There is one very important deviation from the LDAP standard: +# there is a bug in the standard definition of groupOfNames and +# groupOfUniqueNames - the member/uniqueMember attribute is in the MUST +# list, not the MAY list, which means you cannot have an empty group. +# Until the LDAP community figures out how to do grouping properly, we +# have put the member/uniqueMember attribute into the MAY list, to allow +# empty groups. +################################################################################ +# +dn: cn=schema +objectclass: top +objectclass: ldapSubentry +objectclass: subschema +cn: schema +# +# aci to ensure that the standard schema attributes are visible to +# all LDAP clients (anonymous access). +# +aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) +# +################################################################################ +# +attributeTypes: ( 2.16.840.1.113730.3.1.55 NAME 'aci' + DESC 'Netscape defined access control information attribute type' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'Netscape Directory Server' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.0 NAME 'top' + ABSTRACT + MUST objectClass + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.1 NAME 'alias' + SUP top STRUCTURAL + MUST aliasedObjectName + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.1 NAME 'aliasedObjectName' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.0 NAME 'objectClass' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +attributeTypes: ( 2.5.18.3 NAME 'creatorsName' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.18.4 NAME 'modifiersName' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.21.10 NAME 'governingStructureRule' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +objectClasses: ( 2.5.20.1 NAME 'subschema' AUXILIARY + MAY ( dITStructureRules $ nameForms $ ditContentRules $ + objectClasses $ attributeTypes $ matchingRules $ + matchingRuleUse ) + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add Object Class Description syntax +#attributeTypes: ( 2.5.21.6 NAME 'objectClasses' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.37 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.6 NAME 'objectClasses' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add Attribute Type Description syntax +#attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add Matching Rule Description syntax +#attributeTypes: ( 2.5.21.4 NAME 'matchingRules' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.30 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.4 NAME 'matchingRules' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add Matching Rule Use Description syntax +#attributeTypes: ( 2.5.21.8 NAME 'matchingRuleUse' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.31 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.8 NAME 'matchingRuleUse' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add LDAP Syntax Description syntax +#attributeTypes: ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.54 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add DIT Content Rule Description syntax +#attributeTypes: ( 2.5.21.2 NAME 'dITContentRules' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.2 NAME 'dITContentRules' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add DIT Structure Rule Description syntax +#attributeTypes: ( 2.5.21.1 NAME 'dITStructureRules' +# EQUALITY integerFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.17 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.1 NAME 'dITStructureRules' + EQUALITY integerFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# TODO - Add Name Form Description syntax +#attributeTypes: ( 2.5.21.7 NAME 'nameForms' +# EQUALITY objectIdentifierFirstComponentMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.35 +# USAGE directoryOperation +# X-ORIGIN 'RFC 4512' ) +attributeTypes: ( 2.5.21.7 NAME 'nameForms' + EQUALITY objectIdentifierFirstComponentMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE directoryOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' + SUP top AUXILIARY + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE dSAOperation + X-ORIGIN 'RFC 4512' ) +# +################################################################################ +# +attributeTypes: ( 2.16.840.1.113730.3.1.2386 NAME 'availableSASLMechanisms' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + USAGE dSAOperation + X-ORIGIN '389 Directory Server' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.41 NAME 'name' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.15 NAME 'businessCategory' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' ) + SUP name + SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 + SINGLE-VALUE + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'countryName' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'commonName' ) +# +################################################################################ +# +attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'domaincomponent' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.13 NAME 'description' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.49 NAME ( 'distinguishedName' 'dn' ) + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'dn' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.46 NAME 'dnQualifier' + EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'fax' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.44 NAME 'generationQualifier' + SUP name + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) + SUP name + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.51 NAME 'houseIdentifier' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.43 NAME 'initials' + SUP name + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.29 NAME 'presentationAddress' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.30 NAME 'supportedApplicationContext' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.48 NAME 'protocolInformation' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.54 NAME 'dmdName' + SUP name + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.25 NAME 'internationalISDNNumber' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.7 NAME ( 'l' 'locality' 'localityname' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'locality localityname' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.31 NAME 'member' + SUP distinguishedName + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationname' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'organizationname' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'organizationalUnitName' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.32 NAME 'owner' + SUP distinguishedName + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.16 NAME 'postalAddress' + EQUALITY caseIgnoreListMatch + SUBSTR caseIgnoreListSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.17 NAME 'postalCode' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.18 NAME 'postOfficeBox' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 + SINGLE-VALUE + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.26 NAME 'registeredAddress' + SUP postalAddress + SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.33 NAME 'roleOccupant' + SUP distinguishedName + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.14 NAME 'searchGuide' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.34 NAME 'seeAlso' + SUP distinguishedName + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.5 NAME 'serialNumber' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'surName' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) + SUP name + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'stateOrProvinceName' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'streetaddress' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.20 NAME 'telephoneNumber' + EQUALITY telephoneNumberMatch + SUBSTR telephoneNumberSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.21 NAME 'telexNumber' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.12 NAME 'title' + SUP name + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + X-ORIGIN 'RFC 4519' + X-DEPRECATED 'userid' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' + EQUALITY uniqueMemberMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.35 NAME 'userPassword' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.24 NAME 'x121Address' + EQUALITY numericStringMatch + SUBSTR numericStringSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +attributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier' + EQUALITY bitStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.11 NAME 'applicationProcess' + SUP top + STRUCTURAL + MUST cn + MAY ( seeAlso $ + ou $ + l $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.12 NAME 'applicationEntity' + SUP top + STRUCTURAL + MUST ( cn $ presentationAddress ) + MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.13 NAME 'dSA' + SUP applicationEntity + STRUCTURAL + MAY knowledgeInformation + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.20 NAME 'dmd' + SUP top + STRUCTURAL + MUST ( dmdName ) + MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ + x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationaliSDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l $ description ) + X-ORIGIN 'RFC 2256' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.2 NAME 'country' + SUP top + STRUCTURAL + MUST c + MAY ( searchGuide $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' + SUP top + AUXILIARY + MUST dc + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.14 NAME 'device' + SUP top + STRUCTURAL + MUST cn + MAY ( serialNumber $ + seeAlso $ + owner $ + ou $ + o $ + l $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.9 NAME 'groupOfNames' + SUP top + STRUCTURAL + MUST ( cn ) + MAY ( member $ + businessCategory $ + seeAlso $ + owner $ + ou $ + o $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' + SUP top + STRUCTURAL + MUST ( cn ) + MAY ( uniqueMember $ + businessCategory $ + seeAlso $ + owner $ + ou $ + o $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.3 NAME 'locality' + SUP top + STRUCTURAL + MAY ( street $ + seeAlso $ + searchGuide $ + st $ + l $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.4 NAME 'organization' + SUP top + STRUCTURAL + MUST o + MAY ( userPassword $ searchGuide $ seeAlso $ + businessCategory $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ + telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationalISDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ + postalCode $ postalAddress $ physicalDeliveryOfficeName $ + st $ l $ description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.6 NAME 'person' + SUP top + STRUCTURAL + MUST ( sn $ + cn ) + MAY ( userPassword $ + telephoneNumber $ + seeAlso $ description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' + SUP person + STRUCTURAL + MAY ( title $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ + telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationalISDNNumber $ + facsimileTelephoneNumber $ street $ postOfficeBox $ + postalCode $ postalAddress $ physicalDeliveryOfficeName $ + ou $ st $ l ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.8 NAME 'organizationalRole' + SUP top + STRUCTURAL + MUST cn + MAY ( x121Address $ registeredAddress $ destinationIndicator $ + preferredDeliveryMethod $ telexNumber $ + teletexTerminalIdentifier $ telephoneNumber $ + internationalISDNNumber $ facsimileTelephoneNumber $ + seeAlso $ roleOccupant $ preferredDeliveryMethod $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ ou $ st $ l $ + description ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' + SUP top + STRUCTURAL + MUST ou + MAY ( businessCategory $ description $ destinationIndicator $ + facsimileTelephoneNumber $ internationalISDNNumber $ l $ + physicalDeliveryOfficeName $ postalAddress $ postalCode $ + postOfficeBox $ preferredDeliveryMethod $ + registeredAddress $ searchGuide $ seeAlso $ st $ street $ + telephoneNumber $ teletexTerminalIdentifier $ + telexNumber $ userPassword $ x121Address ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.5.6.10 NAME 'residentialPerson' + SUP person + STRUCTURAL + MUST l + MAY ( businessCategory $ x121Address $ registeredAddress $ + destinationIndicator $ preferredDeliveryMethod $ + telexNumber $ teletexTerminalIdentifier $ + telephoneNumber $ internationalISDNNumber $ + facsimileTelephoneNumber $ preferredDeliveryMethod $ + street $ postOfficeBox $ postalCode $ postalAddress $ + physicalDeliveryOfficeName $ st $ l ) + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' + SUP top + AUXILIARY + MUST uid + X-ORIGIN 'RFC 4519' ) +# +################################################################################ +# +objectClasses: ( 2.16.840.1.113719.2.142.6.1.1 NAME 'ldapSubEntry' + DESC 'LDAP Subentry class, version 1' + SUP top + STRUCTURAL + MAY ( cn ) + X-ORIGIN 'LDAP Subentry Internet Draft' ) +# +################################################################################ +# +attributeTypes: ( 1.3.1.1.4.1.453.16.2.103 NAME 'numSubordinates' + DESC 'count of immediate subordinates' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE + NO-USER-MODIFICATION + USAGE directoryOperation + X-ORIGIN 'numSubordinates Internet Draft' ) +# +################################################################################ +# diff --git a/docker/ds389/Dockerfile b/docker/ds389/Dockerfile index 50831532..cacbc9e8 100644 --- a/docker/ds389/Dockerfile +++ b/docker/ds389/Dockerfile @@ -1,41 +1,23 @@ -FROM centos/centos7:latest +FROM fedora:35 -MAINTAINER Liutauras Adomaitis +RUN dnf -y install --setopt=install_weak_deps=False \ + 389-ds-base python3-lib389 && \ + dnf -y clean all -RUN yum -y install \ - epel-release \ - 389-ds-base \ - 389-adminutil \ - gettext && \ - yum clean all +RUN mkdir -p /data/{config,ssca,run} /var/run/dirsrv && \ + ln -s /data/config /etc/dirsrv/slapd-localhost && \ + ln -s /data/ssca /etc/dirsrv/ssca && \ + ln -s /data/run /var/run/dirsrv && \ + chmod -R 777 /data /etc/dirsrv -COPY *.tpl / -COPY kolab-schema.ldif /etc/dirsrv/schema/99kolab-schema.ldif +HEALTHCHECK --start-period=5m --timeout=5s --interval=5s --retries=2 \ + CMD /usr/lib/dirsrv/dscontainer -H -RUN for F in $(ls *.tpl); do eval "echo \"$(cat $F)\"" | tee ${F%%.tpl}; done +VOLUME /data -RUN rm -fr /var/lock /usr/lib/systemd/system && \ - setup-ds.pl -ddd --silent --file /ds_setup.inf && \ - chown nobody.nobody -R /var/lib/dirsrv/ && \ - mv mgmt_com-install.ldif ${DOMAIN_DB}-install.ldif && \ - mv hosted_com-install.ldif ${HOSTED_DOMAIN_DB}-install.ldif && \ - mv *.ldif /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif/. +# ADD init.sh /init.sh +# CMD ["/init.sh"] -# This only copies another kolab-schema.ldif -#COPY *.ldif /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif/ - -EXPOSE 389 - -CMD cd /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif/ && \ - for ldif in $(ls *-import.ldif || ls *-install.ldif || true); do \ - sed -r -i -e 's/mailHost: .*$/mailHost: localhost/g' ${ldif}; \ - chmod 644 ${ldif}; \ - namespace=$(echo "${ldif}" | sed -e 's/-import.ldif$//' -e 's/-install.ldif$//'); \ - /usr/lib64/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif2db \ - -Z ${DS_INSTANCE_NAME} \ - -n ${namespace} \ - -i /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif/${ldif}; \ - done && \ - /usr/lib64/dirsrv/slapd-hkccp/start-slapd && \ - tail -F /var/log/dirsrv/slapd-${DS_INSTANCE_NAME}/{access,audit,errors} +CMD ["/usr/libexec/dirsrv/dscontainer", "-r"] +EXPOSE 3389 3636 diff --git a/docker/ds389/init.sh b/docker/ds389/init.sh new file mode 100755 index 00000000..46b0ec8c --- /dev/null +++ b/docker/ds389/init.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +set -x +# ds +# +# +#labjj +#dscontainer + +cat > /tmp/dscreate-config << EOF +[general] +FullMachineName = kolab.mgmt.com +SuiteSpotUserID = dirsrv +SuiteSpotGroup = dirsrv +AdminDomain = mgmt.com +ConfigDirectoryLdapURL = ldap://kolab.mgmt.com:389/o=NetscapeRoot +ConfigDirectoryAdminID = admin +ConfigDirectoryAdminPwd = CzAsObG6KyYTte9 +full_machine_name = kolab.mgmt.com + +[slapd] +SlapdConfigForMC = Yes +UseExistingMC = 0 +ServerPort = 389 +ServerIdentifier = kolab +Suffix = dc=mgmt,dc=com +RootDN = cn=Directory Manager +RootDNPwd = Welcome2KolabSystems +ds_bename = mgmt_com +AddSampleEntries = No +instance_name = kolab +root_password = Welcome2KolabSystems +create_suffix_entry = True + +[backend-userroot] +suffix = dc=mgmt,dc=com +create_suffix_entry = True + +[admin] +Port = 9830 +ServerAdminID = admin +ServerAdminPwd = CzAsObG6KyYTte9 +EOF + + +dscreate from-file /tmp/dscreate-config + +exec /usr/libexec/dirsrv/dscontainer -r diff --git a/docker/ds389/initialize.sh b/docker/ds389/initialize.sh new file mode 100755 index 00000000..d69eee57 --- /dev/null +++ b/docker/ds389/initialize.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +#docker exec -i -t kolab-ldap /usr/sbin/dsconf localhost backend create --suffix dc=mgmt,dc=com --be-name mgmt_com + +LDAPADD="ldapadd -x -H ldap://127.0.0.1:3389 -D 'cn=Directory Manager' -w 'Welcome2KolabSystems'" + +cp template.ldif /tmp/template.ldif +sed -i -e 's/%ds_suffix%/dc=mgmt,dc=com/' /tmp/template.ldif +sed -i -e 's/%rootdn%/cn=Directory Manager/' /tmp/template.ldif + +eval "$LDAPADD -f kolab-schema.ldif" +eval "$LDAPADD -f /tmp/template.ldif" diff --git a/docker/ds389/template.ldif b/docker/ds389/template.ldif new file mode 100644 index 00000000..bdda0268 --- /dev/null +++ b/docker/ds389/template.ldif @@ -0,0 +1,96 @@ +# +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. +# Copyright (C) 2005 Red Hat, Inc. +# All rights reserved. +# +# License: GPL (version 3 or any later version). +# See LICENSE for details. +# END COPYRIGHT BLOCK +# +# +# Note: %rootdn% (Directory Manager) has all rights on every entry by nature. +# Thus, it is not needed to give any acis. This template has several +# groupOfUniqueNames objects which MUST have uniqueMember. At this moment, +# there is no entry which could be a uniqueMember. Just to satisfy the +# objectclass, set %rootdn% to uniqueMember of the objectclass. +# +dn: %ds_suffix% +changetype: modify +add: aci +aci: (targetattr ="*")(version 3.0; + acl "Directory Administrators Group";allow (all) (groupdn = "ldap:/// + cn=Directory Administrators, %ds_suffix%");) + +dn: cn=Directory Administrators, %ds_suffix% +objectClass: top +objectClass: groupofuniquenames +cn: Directory Administrators +uniqueMember: %rootdn% + +dn: ou=Groups, %ds_suffix% +objectclass: top +objectclass: organizationalunit +ou: Groups + +dn: ou=People, %ds_suffix% +objectclass: top +objectclass: organizationalunit +ou: People +aci: (targetattr ="userpassword || te + lephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry + modification";allow (write)(userdn = "ldap:///self");) +aci: (targetattr !="cn || sn || uid")(t + argetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers G + roup Permissions";allow (write)(groupdn = "ldap:///cn=Accounting Managers,ou + =groups,%ds_suffix%");) +aci: (targetattr !="cn || sn || uid")(t + argetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permiss + ions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,%ds_suffix% + ");) +aci: (targetattr !="cn ||sn || uid")(t + argetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permiss + ions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,%ds_suffix% + ");) +aci: (targetattr !="cn || sn || uid")(t + argetfilter ="(ou=Product Development)")(version 3.0;acl "Engineering + Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups + ,%ds_suffix%");) + +dn: ou=Special Users,%ds_suffix% +objectclass: top +objectclass: organizationalUnit +ou: Special Users +description: Special Administrative Accounts + +dn: cn=Accounting Managers,ou=groups,%ds_suffix% +objectclass: top +objectclass: groupOfUniqueNames +cn: Accounting Managers +ou: groups +description: People who can manage accounting entries +uniqueMember: %rootdn% + +dn: cn=HR Managers,ou=groups,%ds_suffix% +objectclass: top +objectclass: groupOfUniqueNames +cn: HR Managers +ou: groups +description: People who can manage HR entries +uniqueMember: %rootdn% + +dn: cn=QA Managers,ou=groups,%ds_suffix% +objectclass: top +objectclass: groupOfUniqueNames +cn: QA Managers +ou: groups +description: People who can manage QA entries +uniqueMember: %rootdn% + +dn: cn=PD Managers,ou=groups,%ds_suffix% +objectclass: top +objectclass: groupOfUniqueNames +cn: PD Managers +ou: groups +description: People who can manage engineer entries +uniqueMember: %rootdn%