Hi All.
We're trying to implement acls that will allow our Admins to modify the LDAP directory without using a generic admin account, and using their own credentials within LDAP. Our requirement is that the Admins can modify the mail, uid and userPassword attributes. Which I have working. Part of this also requires that the Admin has the ability to add those attributes. That does not work.
We have our system automated so that HR creates a user and the basics are automatically populated into LDAP, however the mail, uid and userpassword attributes are not created at that time. What kind of an ACL do I need to allow the Admins to create the mail, uid and userPassword attributes ?
Thanks in advance. Matt.
Here's what I have for ACLs
access to dn="cn=Manager,dc=domain,dc=com" by * auth
access to dn="ou=Admins,dc=domain,dc=com" by dn.children="ou=Admins,dc=domain,dc=com" read by * auth
access to attrs=employeeNumber by dn.children="ou=Admins,dc=domain,dc=com" write by self read by * search
#Allow Admins ou and ldappers group to modify ldap's userPassword attribute access to attrs=userPassword by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write by dn.children="ou=Admins,dc=domain,dc=com" write by self write by * auth
#allow Admins ou and ldappers group to modify ldap's mail and uid attributes and cbnActive attribute access to attrs=mail,uid by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write by dn.children="ou=Admins,dc=domain,dc=com" write by self read by * read
access to * by dn.children="ou=Admins,dc=domain,dc=com" write by * read