Chavez, James R. wrote: > Hello, > I am looking to use the Directory Server Admin Console similar to how > the Active Directory user's and Computers tool is used. > More specifically I would like to create an administrative group with > permission to perform certain functions such as reset user passwords and > change certain other attributes. I would like to login to the console > with these users instead of Directory Manager or admin to limit the > access and damage that can be done. > > I have created a group of users with full access to my suffix with > ability to add and remove objects. I can do pretty much any operation > with ldapmodify, ldapadd, ldapdelete from the command line. > > However I cannot login to the Directory server console with these users > to admin the directory. > If I login as Directory Manager to the admin console and then select > "login as new user" I am able to login with the users, however the > Directory is not visible. I do not have the correct access somewhere > obviously. > > How can I configure FDS to allow these users to admin the directory in a > limited role? I am assuming I need to set aci's in certain places to > allow logging into the FDS admin server console . > I am assuming this is possible. I am able to access with a third party > tool but would like to use the FDS admin console. > Access to the console is controlled by acis under o=NetscapeRoot - to see these do the following search ldapsearch -x -D "cn=directory manager" -w yourpassword -b o=netscaperoot "aci=*" aci You will notice there are two main groups which are used with these acis: ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot for all administrators there is an entry corresponding to each server - for example: dn: cn=slapd-ds, cn=Fedora Directory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot This entry is also a group entry - members of the server group entry are supposed to have access to the server: aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=slapd-ds, cn=Fedora Directory Server, cn= Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=slapd-ds, cn=Fedora Direc tory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o= NetscapeRoot";) I'm not sure if this will work if the user entry is in a different directory server. > Thank you > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090413/4ae30ee8/attachment.bin
