FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-05-2011, 11:39 AM
"Andrea Modesto Rossi"
 
Default Issue with 389

Dear all,

I hope you can help me in order to set up my first 389 Server.

My situation : fresh install of 389 (Fedora 14), installed the DS via
yum from the standard repos. Everything seems to work properly, DNA as well.

Basically i've got 2 problems and 1 question.

First of all, i work with 389 console ):

1) Adding a new group (e.g. administrator) i see that there is not the GID
attribute and i have to add it (by hand) every time (Advanced propertis
---> Object class ---> Add value ---> Posix Group); it's very boring :-)
How can i fix this issue? In general, is it possible to modify the basic
DIT ? Indeed i'd like to add much more information (manager, company,...an
so on) for each new users in a fast way.

2) I'm writing a Web interface able to manage users account (e.g.assword).
For some operations(reset pw) i need a Bind DN user, right? Ok, please
could you help me write an ACL (principle of least privilege) for this
user? i don't like to use the directory manage (cn=directory manager). My
idea is to create a new user able to handle only his OU, and nothing else!

3) I have a PKI. can i manage(store) users keys(public and private)
directly through 389? If so, how? could you point me in the right
direction?



Thank you very much.

have a nice weekend

/AMR
--
Andrea Modesto Rossi
Fedora Ambassador


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-07-2011, 08:57 AM
Carsten Grzemba
 
Default Issue with 389

----- Ursprüngliche Nachricht -----
Von: Andrea Modesto Rossi <amrossi@linux.it>
Datum: Samstag, 5. März 2011, 13:39
Betreff: [389-users] Issue with 389
An: 389-users@lists.fedoraproject.org

> Dear all,
>
> I hope you can help me in order to set up my first 389 Server.
>
> My situation : fresh install of 389 (Fedora 14), installed the
> DS via
> yum from the standard repos. Everything seems to work properly,
> DNA as well.
>
> Basically i've got 2 problems and 1 question.
>
> First of all, i work with 389 console* ):
>
> 1) Adding a new group (e.g. administrator) i see that there is
> not the GID
> attribute and i have to add it (by hand) every time (Advanced
> propertis---> Object class ---> Add value ---> Posix Group);
> it's very boring :-)
> How can i fix this issue?
If not already, there will be a new version which has a tab for editing posix group attributes.
In general, is it possible to modify
> the basic
> DIT ? Indeed i'd like to add much more information (manager,
> company,...anso on) for each new users in a fast way.
The fastest way to modify LDAP is CLI (ldapmodify) ;-).
To exent the GUI for more attributes is possible but less documented.

>
> 2) I'm writing a Web interface able to manage users account
> (e.g.assword).For some operations(reset pw) i need a Bind DN
> user, right? Ok, please
> could you help me write an ACL (principle of least privilege)
> for this
> user? i don't like to use the directory manage (cn=directory
> manager). My
> idea is to create a new user able to handle only his OU, and
> nothing else!
You can add easy a ACI on that OU Node with the console:
Set access permissions

First you add a user who should get the permissions for manage the users, for example: uid=uhd,ou=people,dc=example,dc=com

Choose the container witch contains the users to manage and add there the ACI, for example:
(targetattr = "userPassword")
(version 3.0;
acl "Permissions to manage user passwords";
allow (all)
(userdn = "ldap:///uid=uhd,ou=people,dc=example,dc=com")



>
> 3) I have a PKI. can i manage(store) users keys(public and private)
> directly through 389? If so, how? could you point me in the right
> direction?
There is also a Fedora CA project.

>
>
>
> Thank you very much.
>
> have a nice weekend
>
> /AMR
> --
> Andrea Modesto Rossi
> Fedora Ambassador
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-07-2011, 03:53 PM
Rich Megginson
 
Default Issue with 389

On 03/07/2011 02:57 AM, Carsten Grzemba wrote:



----- Ursprüngliche Nachricht -----
Von: Andrea Modesto Rossi <amrossi@linux.it>
Datum: Samstag, 5. März 2011, 13:39
Betreff: [389-users] Issue with 389
An: 389-users@lists.fedoraproject.org



Dear all,

I hope you can help me in order to set up my first 389 Server.

My situation : fresh install of 389 (Fedora 14), installed the
DS via
yum from the standard repos. Everything seems to work properly,
DNA as well.

Basically i've got 2 problems and 1 question.

First of all, i work with 389 console* ):

1) Adding a new group (e.g. administrator) i see that there is
not the GID
attribute and i have to add it (by hand) every time (Advanced
propertis---> Object class ---> Add value ---> Posix Group);
it's very boring :-)
How can i fix this issue?


If not already, there will be a new version which has a tab for editing posix group attributes.
In general, is it possible to modify


Yes.* This is already in updates testing - see
http://directory.fedoraproject.org/wiki/Release_Notes - this feature
was added in Alpha 3.



the basic
DIT ? Indeed i'd like to add much more information (manager,
company,...anso on) for each new users in a fast way.


The fastest way to modify LDAP is CLI (ldapmodify) ;-).
To exent the GUI for more attributes is possible but less documented.


The console is not very extensible in this way.* If you are a java
programmer, you could add additional fields/tabs for the schema you
are interested in.* For example, the recently added support for
Posix Groups.






2) I'm writing a Web interface able to manage users account
(e.g.assword).For some operations(reset pw) i need a Bind DN
user, right? Ok, please
could you help me write an ACL (principle of least privilege)
for this
user? i don't like to use the directory manage (cn=directory
manager). My
idea is to create a new user able to handle only his OU, and
nothing else!


You can add easy a ACI on that OU Node with the console:
Set access permissions

First you add a user who should get the permissions for manage the users, for example: uid=uhd,ou=people,dc=example,dc=com

Choose the container witch contains the users to manage and add there the ACI, for example:
(targetattr = "userPassword")
(version 3.0;
acl "Permissions to manage user passwords";
allow (all)
(userdn = "ldap:///uid=uhd,ou=people,dc=example,dc=com")


The DSGW has a user self service password change page -
http://directory.fedoraproject.org/wiki/DSGW








3) I have a PKI. can i manage(store) users keys(public and private)
directly through 389? If so, how? could you point me in the right
direction?


There is also a Fedora CA project.






Thank you very much.

have a nice weekend

/AMR
--
Andrea Modesto Rossi
Fedora Ambassador


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-07-2011, 07:28 PM
"Andrea Modesto Rossi"
 
Default Issue with 389

On Lun, 7 Marzo 2011 5:53 pm, Rich Megginson wrote:
> The DSGW has a user self service password change page -
> http://directory.fedoraproject.org/wiki/DSGW

Yep, but in that case users are able to change all their personal
information, and not only his/her password; However thanks for this
"tip"...i didn't know the DS gateway.

Best regards,

/AMR

--
Andrea Modesto Rossi
Fedora Ambassador


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-07-2011, 09:24 PM
"Andrea Modesto Rossi"
 
Default Issue with 389

On Lun, 7 Marzo 2011 10:57 am, Carsten Grzemba wrote:
> If not already, there will be a new version which has a tab for editing
> posix group attributes.

Perfect!


> You can add easy a ACI on that OU Node with the console:
> Set access permissions
>
> First you add a user who should get the permissions for manage the users,
> for example: uid=uhd,ou=people,dc=example,dc=com
>
> Choose the container witch contains the users to manage and add there the
> ACI, for example:
> (targetattr = "userPassword")
> (version 3.0;
> acl "Permissions to manage user passwords";
> allow (all)
> (userdn = "ldap:///uid=uhd,ou=people,dc=example,dc=com")

;-)

> There is also a Fedora CA project.
>

do you mean PKI dogtag?

--
Andrea Modesto Rossi
Fedora Ambassador


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 12:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org