[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap separate OU-administrator account

 

Hi,

 

I need some guidance, I have a simple DIT with users in the users OU, and a separate OU for admins.

 

In addition to the Manager, I have created an admin2 account in the admins OU, however default permissions don’t allow the admin2.admins.domain.tld to create users in the users.domain.tld OU.

I also don’t want admin2 to have equal permissions to Manager, I am giving that account away to our users administrator and they only need access to create/modify/delete users under the users OU (on basis of least privilege I don’t want them to have full access).

 

I am using dynamic ldap, I have already created the users and admin accounts, I just need guidance on adding the ACL’s.

 

 

I am a complete novice with openldap, what do I need to do to grant the correct olcAccess so that the admin2 account can create users in the users.domain.tld OU ?

 

I’d also like a read-only admin in the admins OU that can view all details for all users under users OU ?

 

And cream on top of the cake, I’d like to prohibit accounts in the users OU from looking at any of the rest of the LDAP objects other than self ?

 

I think I’m right I need to modify the olcAccess access rules, but don’t know how, current olcAccess rules follow:-

 

 

dn: olcDatabase={2}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {2}hdb

<… CUT  …>

olcSuffix: dc=domain,dc=tld

olcRootDN: cn=Manager,dc=domain,dc=tld

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=domain,dc=tld" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=tld" write by * read

 

 

(I have tweaked the text output to replace our domain, please ignore any typos I may have inadvertently introduced)

 

 

I have read the admin guides and man pages, but I can’t see clearly see what ldif stanzas I need to construct ?

 

 

Thanks in advance.

 

 

Gary Spencer


Whitehall Avenue | Kingston | Milton Keynes | MK10 0AX
www.sis.tv



Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

SIS LIVE Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 5075598

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.