FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-09-2008, 10:35 PM
Dharmin Mandalia
 
Default User privileges

Hello

On our Directory Server, we have different OU's for each department,
under which we have dept users. Is it possible to allow each department
admin's to add/delete/edit user/group/other entries for their own
department OU ONLY , over Directory console, so basically one admin
from each department have full access/rights over user/group/other
entries under their dept OU, over Dir Console.


If you know how above can be done, please tell me....

Appreciate your reply.

Regards
Dharmin



fedora-directory-users@redhat.com


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-16-2008, 10:46 AM
"Joerg Antweiler"
 
Default User privileges

Hi Dharmin,

you might want to work with aci's. One way to achieve what you want : define your admin users in a meaningful ou :

your admin ou :

dn: ou=myadmins,o=some-root-suffix
ou:myadmins

objectClass: top
objectClass: organizationalunit

one of your admins :

dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix
givenName: Serviceadmin
sn: Serviceadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson

objectClass: person
objectClass: top
uid: Serviceadmin
cn: Serviceadmin
userPassword: some-password

define one corresponding aci for every ou

dn: ou=myorganizationalunit,o=some-root-suffix
aci: (targetattr = "*") (target = "ldap:///ou=myorganizationalunit,o=some-root-suffix") (version 3.0;acl "Admin for myou Access ACI";allow (all)(userdn = "ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix")

ou: myorganizationalunit
objectClass: top
objectClass: organizationalunit

Finetune security in terms of
which attributes can be accessed, modified etc. ( targetattr )
allowed operations ( in my example, all operations are allowed )


Hope it gives you an idea,
Regards,
Joerg



2008/9/10 Dharmin Mandalia <Dharmin.Mandalia@tanganet.net>

Hello



On our Directory Server, we have different OU's for each department, under which we have dept users. Is it possible to allow each department admin's to add/delete/edit user/group/other entries for their own department *OU ONLY , over Directory console, so basically one admin from each department have full access/rights over user/group/other entries under their dept OU, over Dir Console.




If you know how above can be done, please tell me....



Appreciate your reply.



Regards

Dharmin







fedora-directory-users@redhat.com





--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-16-2008, 03:33 PM
"Dharmin Mandalia"
 
Default User privileges

Hi Joerg

Thanks.. will soon try what you've suggested.

Regards
Dharmin




Re: [Fedora-directory-users] User privileges
Joerg Antweiler
Tue, 16 Sep 2008 03:46:58 -0700

Hi Dharmin,

you might want to work with aci's. One way to achieve what you want : define
your admin users in a meaningful ou :

your admin ou :

dn: ou=myadmins,o=some-root-suffix
ou:myadmins
objectClass: top
objectClass: organizationalunit

one of your admins :

dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix
givenName: Serviceadmin
sn: Serviceadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: Serviceadmin
cn: Serviceadmin
userPassword: some-password

define one corresponding aci for every ou

dn: ou=myorganizationalunit,o=some-root-suffix
aci: (targetattr = "*") (target =
"ldap:///ou=myorganizationalunit,o=some-root-suffix" (version 3.0;acl
"Admin for myou Access ACI";allow (all)(userdn =
"ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix")
ou: myorganizationalunit
objectClass: top
objectClass: organizationalunit

Finetune security in terms of
which attributes can be accessed, modified etc. ( targetattr )
allowed operations ( in my example, all operations are allowed )

Hope it gives you an idea,
Regards,
Joerg



2008/9/10 Dharmin Mandalia <[EMAIL PROTECTED]>

> Hello
>
> On our Directory Server, we have different OU's for each department, under
> which we have dept users. Is it possible to allow each department
admin's to
> add/delete/edit user/group/other entries for their own department OU
ONLY ,
> over Directory console, so basically one admin from each department have
> full access/rights over user/group/other entries under their dept OU, over
> Dir Console.
>
> If you know how above can be done, please tell me....
>
> Appreciate your reply.
>
> Regards
> Dharmin
>
>
>
> fedora-directory-users@redhat.com
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 09:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org