Hi all I've managed to get a few features that I'd been struggling with working on FDS, however I'd appreciate any guidance with the following: Our service desk is outsourced and I'm looking to replace an existing NIS implementation with LDAP (probably Redhat, but until we prove it to be reliable I'm sticking with FDS for now). I'm trying to avoid using the Administrator accounts set up in O=NetscapeRoot and create user accounts within the main dc=example,dc=com schema and give them access to the relevant subtrees to be able to create user accounts, reset passwords etc - effectively delegating restricted admin access whilst still ensuring the security model. I thought i had achieved this by setting an Access Role on the target OU and specifying that a group I had already created would have full access to all attributes (I can refine this later to restrict down to the bare minimum). Below is the syntax obtained from the GUI console when setting up the restriction (targetattr = "*") (target = "ldap:///ou=Laser,dc=example,dc=com") (version 3.0; acl "Sdesk"; allow (all) (groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com") ;) however, when I attempt to add a user via the newuser.pl script I obtained from netauth, I get the following: failed to add entry: Insufficient 'write' privilege to the 'userPassword' attribute at ./newuser.pl line 232, <DATA> line 228. Has anyone implemented a security model like this and if so, would they be able to share any experiences. Thanks Darren -- Darren Paxton, European Midrange Systems Senior Engineer Centralised Operations | MMC Global Technology Infrastructure (MGTI) Mercer Human Resource Consulting | Mercury Court, Tithebarn Street, Liverpool, L2 2QH, Merseyside, UK +44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 | darren.paxton at mercer.com <file://'mailto:darren.paxton at mercer.com'> www.mmc.com <file://'http://www.mmc.com'> This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070305/06049a8d/attachment.html