Re: User privileges

["Joerg Antweiler" <antweilers@xxxxxxxxxxxxxx>]

Hi Dharmin,

you might want to work with aci's. One way to achieve what you want : define your admin users in a meaningful ou :

your admin ou :

dn: ou=myadmins,o=some-root-suffix
ou:myadmins
objectClass: top
objectClass: organizationalunit

one of your admins :

dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix
givenName: Serviceadmin
sn: Serviceadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: Serviceadmin
cn: Serviceadmin
userPassword: some-password

define one corresponding aci for every ou

dn: ou=myorganizationalunit,o=some-root-suffix
aci: (targetattr = "*") (target = "ldap:///ou=myorganizationalunit,o=some-root-suffix") (version 3.0;acl "Admin for myou Access ACI";allow (all)(userdn = "ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix");)
ou: myorganizationalunit
objectClass: top
objectClass: organizationalunit

Finetune security in terms of
which attributes can be accessed, modified etc. ( targetattr )
allowed operations ( in my example, all operations are allowed )

Hope it gives you an idea,
Regards,
Joerg

2008/9/10 Dharmin Mandalia <Dharmin.Mandalia@xxxxxxxxxxxx>

Hello

On our Directory Server, we have different OU's for each department, under which we have dept users. Is it possible to allow each department admin's to add/delete/edit user/group/other entries for their own department  OU ONLY , over Directory console, so basically one admin from each department have full access/rights over user/group/other entries under their dept OU, over Dir Console.

If you know how above can be done, please tell me....

Appreciate your reply.

Regards
Dharmin



fedora-directory-users@xxxxxxxxxx


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users