----- "Chris Phillips" <chris@xxxxxxxxxxxx> wrote: > http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html > > > On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III < > jsullivan@xxxxxxxxxxxxxxxxxxx > wrote: > > > In briefest summary, we create a separate user who has rights to see > but > not change the commonly needed fields for as much of the DIT as is > needed for the various servers, e.g., some may need to see the entire > tree whereas other may only need a small subset. The ACI's are in that > large post. We then use this user as the binddn in ldap.conf. We never > use cn=Directory Manager and always remove anonymous browsing. In > fact, > we also change the cn for both Directory Manager and the admin user > just > to further obscure the setup. Hope this helps - John > > John, (and anyone else of course...) > > I read your mail that you referred to... > http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html > and don't really see an answer to the question, or more honestly, the > very similar question I was about to ask before I saw this. > > That was how to have a full administrative user that is not Directory > Manager. I'm working in a very high profile confidential project and > to our shame are still using this account for pretty much everything > of note (despite my protestations from day 1, I assure you!!) > including the IDM console which is our main tool for managing data in > it. I've tried to work out the most formal and effective way to make > my own normal user account able to do whatever Directory Manager can > do with the console but without luck. I expect it's an awful lot > simpler than I think it is. In line with doing it "right" there's a > Directory Administrators (or nearly that) group which I tried adding > users to but no change was seen, and I'd think there's a difference > between the access within the main directory and the Admin server > config in o=NetscapeRoot. Is there an ACI that already exists and > such? I would take a look at the ACIs that are created for the uid=admin user, the one created during setup-ds-admin.pl time. That user is a close as you can get to directory manager. The only thing we don't have an ACI for is the ability to create the root entry for a top level suffix (e.g. if you create a new suffix dc=example,dc=com, only the directory manager can use LDAP ADD to create that entry, which is what the console does). You can work around this limitation by doing an import operation - create an ldif file which contains this entry, and do an import/ldif2db/database init with this file, as admin. > > Also looking at your notes, it seems there may be better ways to > manage a single directory (2 multimasters and 6 replicas) like > bypassing the initial Admin section and going straight to the > directory itself? > > Also if I do make my user account able to log in, would I then be > faced with putting in the entire DN every single time? can I alias it > etc..? Ideally I'd not want a dedicated account, unless there's some > real logic in not using the account - something I can imagine... Authentication is supposed to lookup the user id first in o=NetscapeRoot (e.g. the default console admin) then in your default user&group suffix (e.g. dc=example,dc=com). > > Any pointers, especially those which are simple, elegant and > non-invasive, would be *very* much appreciated. > > Thanks > > Chris > > -- > 389 users mailing list > 389-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
