e-smith-ldap-5.2.0-allow_authenticated_users_to_read_attrs.patch

diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects	2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls60sensibleObjects	2010-10-14 22:23:21.000000000 +0200
@@ -2,9 +2,17 @@
 # Prevent access to system, dummy and machine accounts
 
 access to dn.subtree=ou=Users,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=inetOrgPerson))
+        by users	peername.ip="127.0.0.1"	read
+        by users	ssf=128	read
         by anonymous	none
+
 access to dn.subtree=ou=Groups,{ esmith::util::ldapBase ($DomainName); } filter=(!(objectClass=mailboxRelatedObject))
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous	none
+
 access to dn.subtree=ou=Computers,{ esmith::util::ldapBase ($DomainName); }
+        by users        peername.ip="127.0.0.1" read
+        by users        ssf=128 read
         by anonymous	none
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs	2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls70sensibleAttrs	2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,10 @@
 {
 
 # Array of attrs which should not be visible anonymously
-@sensible = ();
+@anon = ();
+
+# Array of attrs which should not be visible by other users
+@users = ();
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount	2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls72posixAccount	2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to posixAccount
-push @sensible, qw/loginShell gidNumber homeDirectory uidNumber/;
+push @anon, qw/loginShell gidNumber homeDirectory uidNumber/;
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount	2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls74shadowAccount	2010-10-14 22:23:21.000000000 +0200
@@ -1,7 +1,7 @@
 {
 
 # Sensible attributes related to shadowAccount
-push @sensible,qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
+push @anon, qw/shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning/; 
 
 $OUT .= '';
 
diff -Nur -x '*.orig' -x '*.rej' e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl
--- e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl	2010-10-14 22:29:18.000000000 +0200
+++ mezzanine_patched_e-smith-ldap-5.2.0/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls80sensibleAcl	2010-10-14 22:23:21.000000000 +0200
@@ -1,13 +1,27 @@
 {
-my $attrs = join(",",@sensible);
+my $anon_attrs = join(",",@anon);
+my $users_attrs = join(",",@users);
 
-unless ($attrs eq ''){
+unless ($anon_attrs eq ''){
     $OUT .=<<"HERE";
-# Restrict access to some sensible attributes
-access to attrs=$attrs
+access to attrs=$anon_attrs
         by self	peername.ip="127.0.0.1"	read
         by self	ssf=128	read
-        by anonymous	none
+        by users	peername.ip="127.0.0.1"	read
+        by users	ssf=128	read
+        by *	none
+
+HERE
+}
+
+unless ($users_attrs eq ''){
+    $OUT .=<<"HERE"; 
+access to attrs=$users_attrs
+        by self	peername.ip="127.0.0.1" read
+        by self ssf=128 read
+        by *	none
+
 HERE
 }
+
 }