User Account Management

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all

I've managed to get a few features that I'd been struggling with working
on FDS, however I'd appreciate any guidance with the following:

Our service desk is outsourced and I'm looking to replace an existing
NIS implementation with LDAP (probably Redhat, but until we prove it to
be reliable I'm sticking with FDS for now).

I'm trying to avoid using the Administrator accounts set up in
O=NetscapeRoot and create user accounts within the main
dc=example,dc=com schema and give them access to the relevant subtrees
to be able to create user accounts, reset passwords etc - effectively
delegating restricted admin access whilst still ensuring the security
model.

I thought i had achieved this by setting an Access Role on the target OU
and specifying that a group I had already created would have full access
to all attributes (I can refine this later to restrict down to the bare
minimum).

Below is the syntax obtained from the GUI console when setting up the
restriction

(targetattr = "*") 
(target = "ldap:///ou=Laser,dc=example,dc=com";) 
(version 3.0;
acl "Sdesk";
allow (all)
(groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com")
;)

however, when I attempt to add a user via the newuser.pl script I
obtained from netauth, I get the following:

failed to add entry: Insufficient 'write' privilege to the
'userPassword' attribute at ./newuser.pl line 232, <DATA> line 228.

Has anyone implemented a security model like this and if so, would they
be able to share any experiences.

Thanks

Darren




--
Darren Paxton, European Midrange Systems Senior Engineer
Centralised Operations | MMC Global Technology Infrastructure (MGTI)
Mercer Human Resource Consulting | Mercury Court, Tithebarn Street,
Liverpool, L2 2QH, Merseyside, UK
+44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 |
darren.paxton at mercer.com <file://'mailto:darren.paxton at mercer.com'> 
www.mmc.com <file://'http://www.mmc.com'>  	


This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.

Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070305/06049a8d/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux