389 aci
# 1. Provide the KDC permission to read everything and write lockout data
dn: dc=it-verband-chemnitz,dc=de
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "KDC Read Access"; allow (read,search,compare) userdn="ldap:///uid=kdc,ou=services,dc=it-verband-chemnitz,dc=de";)
-
add: aci
aci: (targetattr="krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC Write Access for Lockouts"; allow (write) userdn="ldap:///uid=kdc,ou=services,dc=it-verband-chemnitz,dc=de";)
# 2. Provide Kadmin full access to the whole suffix (to manage keys/principals)
dn: dc=it-verband-chemnitz,dc=de
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Kadmin Full Access"; allow (all) userdn="ldap:///uid=kadmin,ou=services,dc=it-verband-chemnitz,dc=de";)
# 3. Deny everyone else from seeing the actual keys (The Security Layer)
dn: dc=it-verband-chemnitz,dc=de
changetype: modify
add: aci
aci: (targetattr="krbPrincipalKey || krbExtraData")(version 3.0; acl "Restrict Kerberos Keys"; deny (read,search,compare) userdn!="ldap:///uid=kdc,ou=services,dc=it-verband-chemnitz,dc=de" AND userdn!="ldap:///uid=kadmin,ou=services,dc=it-verband-chemnitz,dc=de" AND userdn!="ldap:///cn=Directory Manager";)