Hi All.
We're trying to implement acls that will allow our Admins to modify the
LDAP directory without using a generic admin account, and using their
own credentials within LDAP. Our requirement is that the Admins can
modify the mail, uid and userPassword attributes. Which I have
working. Part of this also requires that the Admin has the ability to
add those attributes. That does not work.
We have our system automated so that HR creates a user and the basics
are automatically populated into LDAP, however the mail, uid and
userpassword attributes are not created at that time.
What kind of an ACL do I need to allow the Admins to create the mail,
uid and userPassword attributes ?
Thanks in advance.
Matt.
Here's what I have for ACLs
access to dn="cn=Manager,dc=domain,dc=com"
by * auth
access to dn="ou=Admins,dc=domain,dc=com"
by dn.children="ou=Admins,dc=domain,dc=com" read
by * auth
access to attrs=employeeNumber
by dn.children="ou=Admins,dc=domain,dc=com" write
by self read
by * search
#Allow Admins ou and ldappers group to modify ldap's userPassword attribute
access to attrs=userPassword
by
group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com"
write
by dn.children="ou=Admins,dc=domain,dc=com" write
by self write
by * auth
#allow Admins ou and ldappers group to modify ldap's mail and uid
attributes and cbnActive attribute
access to attrs=mail,uid
by
group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com"
write
by dn.children="ou=Admins,dc=domain,dc=com" write
by self read
by * read
access to *
by dn.children="ou=Admins,dc=domain,dc=com" write
by * read
--
Matt Ingram
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited
\m/