[Fedora-directory-users] Admin Server console question.

Rich Megginson rmeggins at redhat.com
Mon Apr 13 19:04:41 UTC 2009 

Chavez, James R. wrote:
> Hello, 
> I am looking to use the Directory Server Admin Console similar to how
> the Active Directory user's and Computers tool is used.
> More specifically I would like to create an administrative group with
> permission to perform certain functions such as reset user passwords and
> change certain other attributes. I would like to login to the console
> with these users instead of Directory Manager or admin to limit the
> access and damage that can be done.
>
> I have created a group of users with full access to my suffix with
> ability to add and remove objects. I can do pretty much any operation
> with ldapmodify, ldapadd, ldapdelete from the command line. 
>
> However I cannot login to the Directory server console with these users
> to admin the directory.
> If I login as Directory Manager to the admin console and then select
> "login as new user" I am able to login with the users, however the
> Directory is not visible. I do not have the correct access somewhere
> obviously. 
>
> How can I configure FDS to allow these users to admin the directory in a
> limited role? I am assuming I need to set aci's in certain places to
> allow logging into the FDS admin server console .
> I am assuming this is possible. I am able to access with a third party
> tool but would like to use the FDS admin console.
>   
Access to the console is controlled by acis under o=NetscapeRoot - to 
see these do the following search
ldapsearch -x -D "cn=directory manager" -w yourpassword -b 
o=netscaperoot "aci=*" aci

You will notice there are two main groups which are used with these acis:
ldap:///cn=Configuration Administrators, ou=Groups, 
ou=TopologyManagement, o=NetscapeRoot
for all administrators
there is an entry corresponding to each server - for example:
dn: cn=slapd-ds, cn=Fedora Directory Server, cn=Server Group, 
cn=ldap.example.com, ou=example.com, o=NetscapeRoot
This entry is also a group entry - members of the server group entry are 
supposed to have access to the server:
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow 
(read, s
 earch, compare) groupdn="ldap:///cn=slapd-ds, cn=Fedora Directory 
Server, cn=
 Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword || 
descrip
 tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl 
"Enable ac
 cess delegation"; allow (write) groupdn="ldap:///cn=slapd-ds, cn=Fedora 
Direc
 tory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o=
 NetscapeRoot";)

I'm not sure if this will work if the user entry is in a different 
directory server.

> Thank you
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090413/4ae30ee8/attachment.bin>

More information about the 389-users mailing list