[Freeipa-users] limit access to a specific CN
Benjamin Vogt
benjamin.vogt at serv24.biz
Tue Feb 15 20:26:47 UTC 2011
You can put your users into LDAP groups and have Apache check
that the user exists in the specified group. I do this for subversion
access (f14 & freeipa 1.2.2). This way I can manage everything over
the freeipa webgui without resorting to external tools.
- Ben
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Simo Sorce
Sent: Tuesday, February 15, 2011 20:46
To: Peter Doherty
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] limit access to a specific CN
On Tue, 15 Feb 2011 14:09:07 -0500
Peter Doherty <doherty at hkl.hms.harvard.edu> wrote:
>
> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
>
> > Peter Doherty wrote:
> >> Hello, I'm running Fedora 14 and freeipa 1.2.2-6
> >>
> >>
> >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
> >> and then create an account that can edit that cn as much as they
> >> want, but can't edit the other ones (ie: accounts, groups...)?
> >> Any pointers to documentation would be useful. Unfortunately I'm
> >> not 100% clear on my terminology, so google searches are leading me
> >> a bit astray.
> >
> > What would you put into this container?
> >
> > 389-ds certainly supports doing this, depending on what exactly you
> > want to do IPA may or may not support it. For example, we look for a
> > type of entry only within a given container, so you can't put users
> > into another location.
> >
> > rob
>
> The first thing I'm looking to do with it is have a web server that
> has account information stored in LDAP, and to allow users to to ldap
> authentication. The users logging into the web server would be
> different from the posix groups that are managed by FreeIPA. I want
> to replace htaccess and htpasswd files and use LDAP instead.
> It seems like I could create a subsection in LDAP and set up apache to
> bind and auth against that. But I also want a seperate ldap admin
> account that can only edit this section, and not the rest of the
> FreeIPA data.
> Thanks.
It is possible to do using LDAP tools and then setting an ACI on the
container to give the user you want full control on that container.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list