Paxton, Darren wrote: > Hi all > > I've managed to get a few features that I'd been struggling with > working on FDS, however I'd appreciate any guidance with the following: > > Our service desk is outsourced and I'm looking to replace an existing > NIS implementation with LDAP (probably Redhat, but until we prove it > to be reliable I'm sticking with FDS for now). > > I'm trying to avoid using the Administrator accounts set up in > O=NetscapeRoot and create user accounts within the main > dc=example,dc=com schema and give them access to the relevant subtrees > to be able to create user accounts, reset passwords etc - effectively > delegating restricted admin access whilst still ensuring the security > model. > > I thought i had achieved this by setting an Access Role on the target > OU and specifying that a group I had already created would have full > access to all attributes (I can refine this later to restrict down to > the bare minimum). > > Below is the syntax obtained from the GUI console when setting up the > restriction > > (targetattr = "*") > (target = "ldap:///ou=Laser,dc=example,dc=com";) > (version 3.0; > acl "Sdesk"; > allow (all) > (groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com") > ;) > > however, when I attempt to add a user via the newuser.pl script I > obtained from netauth, I get the following: > > failed to add entry: Insufficient 'write' privilege to the > 'userPassword' attribute at ./newuser.pl line 232, <DATA> line 228. If add an entry without the userPassword attribute, does it succeed? Do you have an ACI on dc=example,dc=com or ou=Laser that denies access to the userPassword attribute (e.g. (targetattr!=userPassword))? > > Has anyone implemented a security model like this and if so, would > they be able to share any experiences. > > Thanks > > Darren > > > > -- > *Darren Paxton*, European Midrange Systems Senior Engineer > Centralised Operations | MMC Global Technology Infrastructure (MGTI) > Mercer Human Resource Consulting | Mercury Court, Tithebarn Street, > Liverpool, L2 2QH, Merseyside, UK > +44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 | > _darren.paxton at mercer.com <file://%27mailto:darren.paxton at mercer.com%27>_ > _www.mmc.com <file://%27http://www.mmc.com%27>_ > > > > This e-mail and any attachments may be confidential or legally > privileged.If you received this message in error or are not the > intended recipient, you should destroy the email message and any > attachments or copies, and you are prohibited from retaining, > distributing, disclosing or using any information contained herein. > Please inform us of the erroneous delivery by return e-mail. Thank you > for your co-operation. > > Mercer Human Resource Consulting Limited is authorised and regulated > by the Financial Services Authority. Registered in England No. 984275. > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070305/7d543a78/attachment.bin
