Chavez, James R. wrote:
Hello, I am looking to use the Directory Server Admin Console similar to howAccess to the console is controlled by acis under o=NetscapeRoot - to see these do the following search ldapsearch -x -D "cn=directory manager" -w yourpassword -b o=netscaperoot "aci=*" acithe Active Directory user's and Computers tool is used. More specifically I would like to create an administrative group with permission to perform certain functions such as reset user passwords and change certain other attributes. I would like to login to the console with these users instead of Directory Manager or admin to limit the access and damage that can be done. I have created a group of users with full access to my suffix with ability to add and remove objects. I can do pretty much any operationwith ldapmodify, ldapadd, ldapdelete from the command line.However I cannot login to the Directory server console with these users to admin the directory. If I login as Directory Manager to the admin console and then select "login as new user" I am able to login with the users, however the Directory is not visible. I do not have the correct access somewhereobviously.How can I configure FDS to allow these users to admin the directory in a limited role? I am assuming I need to set aci's in certain places to allow logging into the FDS admin server console . I am assuming this is possible. I am able to access with a third party tool but would like to use the FDS admin console.
You will notice there are two main groups which are used with these acis:ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot
for all administrators there is an entry corresponding to each server - for example:dn: cn=slapd-ds, cn=Fedora Directory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot This entry is also a group entry - members of the server group entry are supposed to have access to the server: aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=slapd-ds, cn=Fedora Directory Server, cn=
Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot";)aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=slapd-ds, cn=Fedora Direc
tory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o= NetscapeRoot";)I'm not sure if this will work if the user entry is in a different directory server.
Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
