[Freeipa-users] limit access to a specific CN

Peter Doherty doherty at hkl.hms.harvard.edu
Wed Feb 16 14:28:10 UTC 2011 

On Feb 16, 2011, at 04:10 , Sumit Bose wrote:

> On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote:
>>
>> On Feb 15, 2011, at 14:45 , Simo Sorce wrote:
>>
>>> On Tue, 15 Feb 2011 14:09:07 -0500
>>> Peter Doherty <doherty at hkl.hms.harvard.edu> wrote:
>>>
>>>> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
>>>>
>>>>> Peter Doherty wrote:
>>>>>> Hello,  I'm running Fedora 14 and freeipa 1.2.2-6
>>>>>>
>>>>>>
>>>>>> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
>>>>>> and then create an account that can edit that cn as much as they
>>>>>> want,
>>>>>> <snip>
>>>>>>
>>>>>
>>>>> What would you put into this container?
>>>>>
>>>>> <snip>
>>>>>
>>>>> rob
>>>>
>>>> The first thing I'm looking to do with it is have a web server that
>>>> has account information stored in LDAP, and to allow users to to
>>>> ldap authentication.  The users logging into the web server would  
>>>> be
>>>> <snip>
>>>
>>> It is possible to do using LDAP tools and then setting an ACI on the
>>> container to give the user you want full control on that container.
>>>
>>> Simo.
>>
>> Simo,
>>
>> This gave me a good starting point, and after reading some more,  
>> I'm starting to wrap my brain around what I want to do and how to  
>> do it.
>> LDAP has a steep learning curve, IMHO.
>> Can you recommend any GUI tools for creating/modifying the ACI for  
>> the container?  I started to try and create an ACI using the ones  
>> within FreeIPA as a reference, but if there's a GUI that would be  
>> useful too.  I checked out Apache Directory Studio which looks  
>> nice, but doesn't seem to support the schema that FreeIPA is using.
>
> I use Apache Directory Studio to edit FreeIPA LDAP objects and I can
> also see and edit ACIs. The schema shouldn't be a problem, because the
> editor can read the schema data from the LDAP server. Which kind of
> problems are you seeing ?

Well, Apache Directory Studio has ACI editor (looks like this: http://directory.apache.org/studio/screenshots.data/aci_visual_1.png 
  )
so you don't edit the text directly, but rather use a GUI, which  
builds the policy in text and inserts it when you're done editing.
But it seems to use a different schema than FreeIPA is using...

Peter

More information about the Freeipa-users mailing list