thr3ads.net - Fedora directory users - [Fedora-directory-users] User privileges [Sep 2008]

If this information is useful, please help other people find it:
Share via:

Dharmin Mandalia

2008-Sep-09 22:35 UTC

[Fedora-directory-users] User privileges

Hello

On our Directory Server, we have different OU''s for each department, 
under which we have dept users. Is it possible to allow each department 
admin''s to add/delete/edit user/group/other entries for their own 
department  OU ONLY , over Directory console, so basically one admin 
from each department have full access/rights over user/group/other 
entries under their dept OU, over Dir Console.

If you know how above can be done, please tell me....

Appreciate your reply.

Regards
Dharmin



fedora-directory-users@redhat.com

Joerg Antweiler

2008-Sep-16 10:46 UTC

head link

Re: [Fedora-directory-users] User privileges

Hi Dharmin,

you might want to work with aci''s. One way to achieve what you want :
define
your admin users in a meaningful ou :

your admin ou :

dn: ou=myadmins,o=some-root-suffix
ou:myadmins
objectClass: top
objectClass: organizationalunit

one of your admins :

dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix
givenName: Serviceadmin
sn: Serviceadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: Serviceadmin
cn: Serviceadmin
userPassword: some-password

define one corresponding aci for every ou

dn: ou=myorganizationalunit,o=some-root-suffix
aci: (targetattr = "*") (target
"ldap:///ou=myorganizationalunit,o=some-root-suffix") (version 3.0;acl
"Admin for myou Access ACI";allow (all)(userdn
"ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix");)
ou: myorganizationalunit
objectClass: top
objectClass: organizationalunit

Finetune security in terms of
which attributes can be accessed, modified etc. ( targetattr )
allowed operations ( in my example, all operations are allowed )

Hope it gives you an idea,
Regards,
Joerg



2008/9/10 Dharmin Mandalia <Dharmin.Mandalia@tanganet.net>
> Hello
>
> On our Directory Server, we have different OU''s for each
department, under
> which we have dept users. Is it possible to allow each department
admin''s to
> add/delete/edit user/group/other entries for their own department  OU ONLY
,
> over Directory console, so basically one admin from each department have
> full access/rights over user/group/other entries under their dept OU, over
> Dir Console.
>
> If you know how above can be done, please tell me....
>
> Appreciate your reply.
>
> Regards
> Dharmin
>
>
>
> fedora-directory-users@redhat.com
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Fedora directory users - Sep 2008 - User privileges

[Fedora-directory-users] User privileges

Re: [Fedora-directory-users] User privileges