Administrative LDAP user example
From Brandonhutchinson.com
(Difference between revisions)
(New page: In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''. * Create the account...) |
|||
| (3 intermediate revisions not shown.) | |||
| Line 2: | Line 2: | ||
* Create the account using the following LDIF: | * Create the account using the following LDIF: | ||
| - | uid=useradd,dc=subdomain,dc=example,dc=com | + | dn: uid=useradd,dc=subdomain,dc=example,dc=com |
| - | uid | + | uid: useradd |
| - | givenName | + | givenName: useradd account |
| - | objectClass | + | objectClass: top |
| - | objectClass | + | objectClass: person |
| - | objectClass | + | objectClass: organizationalPerson |
| - | objectClass | + | objectClass: inetorgperson |
| - | sn | + | sn: for ldap script |
| - | cn | + | cn: useradd account for ldap script |
| - | userPassword | + | userPassword: ''password'' |
* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''. | * We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''. | ||
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.). | * We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.). | ||
| + | |||
| + | * Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts. | ||
| + | dn: ou=people,dc=subdomain,dc=example,dc=com | ||
| + | changetype: modify | ||
| + | add: aci | ||
| + | aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;) | ||
Current revision
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.
- Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com uid: useradd givenName: useradd account objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: for ldap script cn: useradd account for ldap script userPassword: password
- We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
- We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
- Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com changetype: modify add: aci aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
