Hi,
I need some guidance, I have a simple DIT with users in the users OU, and a separate OU for admins.
In addition to the Manager, I have created an admin2 account in the admins OU, however default permissions don’t allow the admin2.admins.domain.tld to create users
in the users.domain.tld OU.
I also don’t want admin2 to have equal permissions to Manager, I am giving that account away to our users administrator and they only need access to create/modify/delete
users under the users OU (on basis of least privilege I don’t want them to have full access).
I am using dynamic ldap, I have already created the users and admin accounts, I just need guidance on adding the ACL’s.
I am a complete novice with openldap, what do I need to do to grant the correct olcAccess so that the admin2 account can create users in the users.domain.tld OU ?
I’d also like a read-only admin in the admins OU that can view all details for all users under users OU ?
And cream on top of the cake, I’d like to prohibit accounts in the users OU from looking at any of the rest of the LDAP objects other than self ?
I think I’m right I need to modify the olcAccess access rules, but don’t know how, current olcAccess rules follow:-
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
<… CUT …>
olcSuffix: dc=domain,dc=tld
olcRootDN: cn=Manager,dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=domain,dc=tld" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=tld" write by * read
(I have tweaked the text output to replace our domain, please ignore any typos I may have inadvertently introduced)
I have read the admin guides and man pages, but I can’t see clearly see what ldif stanzas I need to construct ?
Thanks in advance.
Gary Spencer
Whitehall Avenue | Kingston | Milton Keynes | MK10 0AX
www.sis.tv
Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307
SIS LIVE Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 5075598
The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.