Administrative LDAP user example

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''. * Create the account...)
Current revision (21:10, 7 August 2008) (edit) (undo)
 
(3 intermediate revisions not shown.)
Line 2: Line 2:
* Create the account using the following LDIF:
* Create the account using the following LDIF:
-
uid=useradd,dc=subdomain,dc=example,dc=com
+
dn: uid=useradd,dc=subdomain,dc=example,dc=com
-
uid=useradd
+
uid: useradd
-
givenName=useradd account
+
givenName: useradd account
-
objectClass=top
+
objectClass: top
-
objectClass=person
+
objectClass: person
-
objectClass=organizationalPerson
+
objectClass: organizationalPerson
-
objectClass=inetorgperson
+
objectClass: inetorgperson
-
sn=for ldap script
+
sn: for ldap script
-
cn=useradd account for ldap script
+
cn: useradd account for ldap script
-
userPassword=''password''
+
userPassword: ''password''
* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.
* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
 +
 +
* Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
 +
dn: ou=people,dc=subdomain,dc=example,dc=com
 +
changetype: modify
 +
add: aci
 +
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Current revision

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

  • Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid: useradd
givenName: useradd account
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: for ldap script
cn: useradd account for ldap script
userPassword: password
  • We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
  • We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
  • Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
add: aci
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
Personal tools