Administrative LDAP user example
From Brandonhutchinson.com
(Difference between revisions)
| Line 20: | Line 20: | ||
dn: ou=people,dc=subdomain,dc=example,dc=com | dn: ou=people,dc=subdomain,dc=example,dc=com | ||
changetype: add | changetype: add | ||
| - | aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc= | + | aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;) |
Revision as of 21:00, 7 August 2008
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.
- Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com uid=useradd givenName=useradd account objectClass=top objectClass=person objectClass=organizationalPerson objectClass=inetorgperson sn=for ldap script cn=useradd account for ldap script userPassword=password
- We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
- We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
- Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com changetype: add aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
