On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote:
John, (and anyone else of course...)
I read your mail that you referred to...
http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html
and don't really see an answer to the question, or more honestly, the very similar question I was about to ask before I saw this. In briefest summary, we create a separate user who has rights to see but
not change the commonly needed fields for as much of the DIT as is
needed for the various servers, e.g., some may need to see the entire
tree whereas other may only need a small subset. The ACI's are in that
large post. We then use this user as the binddn in ldap.conf. We never
use cn=Directory Manager and always remove anonymous browsing. In fact,
we also change the cn for both Directory Manager and the admin user just
to further obscure the setup. Hope this helps - John
John, (and anyone else of course...)
I read your mail that you referred to...
http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html
That was how to have a full administrative user that is not Directory Manager. I'm working in a very high profile confidential project and to our shame are still using this account for pretty much everything of note (despite my protestations from day 1, I assure you!!) including the IDM console which is our main tool for managing data in it. I've tried to work out the most formal and effective way to make my own normal user account able to do whatever Directory Manager can do with the console but without luck. I expect it's an awful lot simpler than I think it is. In line with doing it "right" there's a Directory Administrators (or nearly that) group which I tried adding users to but no change was seen, and I'd think there's a difference between the access within the main directory and the Admin server config in o=NetscapeRoot. Is there an ACI that already exists and such?
Also looking at your notes, it seems there may be better ways to manage a single directory (2 multimasters and 6 replicas) like bypassing the initial Admin section and going straight to the directory itself?
Also if I do make my user account able to log in, would I then be faced with putting in the entire DN every single time? can I alias it etc..? Ideally I'd not want a dedicated account, unless there's some real logic in not using the account - something I can imagine...
Any pointers, especially those which are simple, elegant and non-invasive, would be *very* much appreciated.
Thanks
Chris
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users