[Freeipa-users] limit access to a specific CN
Peter Doherty
doherty at hkl.hms.harvard.edu
Tue Feb 15 19:09:07 UTC 2011
On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
> Peter Doherty wrote:
>> Hello, I'm running Fedora 14 and freeipa 1.2.2-6
>>
>>
>> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
>> and then create an account that can edit that cn as much as they
>> want,
>> but can't edit the other ones (ie: accounts, groups...)?
>> Any pointers to documentation would be useful. Unfortunately I'm not
>> 100% clear on my terminology, so google searches are leading me a bit
>> astray.
>
> What would you put into this container?
>
> 389-ds certainly supports doing this, depending on what exactly you
> want to do IPA may or may not support it. For example, we look for a
> type of entry only within a given container, so you can't put users
> into another location.
>
> rob
The first thing I'm looking to do with it is have a web server that
has account information stored in LDAP, and to allow users to to ldap
authentication. The users logging into the web server would be
different from the posix groups that are managed by FreeIPA. I want
to replace htaccess and htpasswd files and use LDAP instead.
It seems like I could create a subsection in LDAP and set up apache to
bind and auth against that. But I also want a seperate ldap admin
account that can only edit this section, and not the rest of the
FreeIPA data.
Thanks.
Peter
More information about the Freeipa-users
mailing list