Administrative LDAP user example - Revision history

Hutch at 21:10, 7 August 2008

Hutch — Thu, 07 Aug 2008 21:10:40 GMT

←Older revision		Revision as of 21:10, 7 August 2008
Line 1:		Line 1:
	In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.		In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.

-	# Create the account using the following LDIF:	+	* Create the account using the following LDIF:
	dn: uid=useradd,dc=subdomain,dc=example,dc=com		dn: uid=useradd,dc=subdomain,dc=example,dc=com
	uid: useradd		uid: useradd
Line 17:		Line 17:
	* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).		* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).

-	# Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.	+	* Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
	dn: ou=people,dc=subdomain,dc=example,dc=com		dn: ou=people,dc=subdomain,dc=example,dc=com
-	changetype: add	+	changetype: modify
		+	add: aci
	aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)		aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Hutch at 21:04, 7 August 2008

Hutch — Thu, 07 Aug 2008 21:04:43 GMT

←Older revision		Revision as of 21:04, 7 August 2008
Line 3:		Line 3:
	# Create the account using the following LDIF:		# Create the account using the following LDIF:
	dn: uid=useradd,dc=subdomain,dc=example,dc=com		dn: uid=useradd,dc=subdomain,dc=example,dc=com
-	uid=useradd	+	uid: useradd
-	givenName=useradd account	+	givenName: useradd account
-	objectClass=top	+	objectClass: top
-	objectClass=person	+	objectClass: person
-	objectClass=organizationalPerson	+	objectClass: organizationalPerson
-	objectClass=inetorgperson	+	objectClass: inetorgperson
-	sn=for ldap script	+	sn: for ldap script
-	cn=useradd account for ldap script	+	cn: useradd account for ldap script
-	userPassword=''password''	+	userPassword: ''password''

	* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.		* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.

Hutch at 21:00, 7 August 2008

Hutch — Thu, 07 Aug 2008 21:00:17 GMT

←Older revision		Revision as of 21:00, 7 August 2008
Line 20:		Line 20:
	dn: ou=people,dc=subdomain,dc=example,dc=com		dn: ou=people,dc=subdomain,dc=example,dc=com
	changetype: add		changetype: add
-	aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=~~prummcx~~,dc=~~unix,dc=navitaire~~,dc=com" ;)	+	aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Hutch at 20:59, 7 August 2008

Hutch — Thu, 07 Aug 2008 20:59:50 GMT

←Older revision		Revision as of 20:59, 7 August 2008
Line 1:		Line 1:
	In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.		In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.

-	* Create the account using the following LDIF:	+	# Create the account using the following LDIF:
-	uid=useradd,dc=subdomain,dc=example,dc=com	+	dn: uid=useradd,dc=subdomain,dc=example,dc=com
	uid=useradd		uid=useradd
	givenName=useradd account		givenName=useradd account
Line 16:		Line 16:

	* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).		* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
		+
		+	# Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
		+	dn: ou=people,dc=subdomain,dc=example,dc=com
		+	changetype: add
		+	aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=prummcx,dc=unix,dc=navitaire,dc=com" ;)

Hutch: New page: In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''. * Create the account...

Hutch — Thu, 07 Aug 2008 20:55:55 GMT

New page: In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''. * Create the account...

New page

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.

* Create the account using the following LDIF:
uid=useradd,dc=subdomain,dc=example,dc=com
uid=useradd
givenName=useradd account
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=for ldap script
cn=useradd account for ldap script
userPassword=''password''

* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.

* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).