[Freeipa-users] limit access to a specific CN
Simo Sorce
ssorce at redhat.com
Tue Feb 15 19:45:35 UTC 2011
On Tue, 15 Feb 2011 14:09:07 -0500
Peter Doherty <doherty at hkl.hms.harvard.edu> wrote:
>
> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
>
> > Peter Doherty wrote:
> >> Hello, I'm running Fedora 14 and freeipa 1.2.2-6
> >>
> >>
> >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
> >> and then create an account that can edit that cn as much as they
> >> want,
> >> but can't edit the other ones (ie: accounts, groups...)?
> >> Any pointers to documentation would be useful. Unfortunately I'm
> >> not 100% clear on my terminology, so google searches are leading
> >> me a bit astray.
> >
> > What would you put into this container?
> >
> > 389-ds certainly supports doing this, depending on what exactly
> > you want to do IPA may or may not support it. For example, we look
> > for a type of entry only within a given container, so you can't put
> > users into another location.
> >
> > rob
>
> The first thing I'm looking to do with it is have a web server that
> has account information stored in LDAP, and to allow users to to
> ldap authentication. The users logging into the web server would be
> different from the posix groups that are managed by FreeIPA. I want
> to replace htaccess and htpasswd files and use LDAP instead.
> It seems like I could create a subsection in LDAP and set up apache
> to bind and auth against that. But I also want a seperate ldap
> admin account that can only edit this section, and not the rest of
> the FreeIPA data.
> Thanks.
It is possible to do using LDAP tools and then setting an ACI on the
container to give the user you want full control on that container.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list