Administrative LDAP user example

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (21:10, 7 August 2008) (edit) (undo)
 
(2 intermediate revisions not shown.)
Line 1: Line 1:
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.
-
# Create the account using the following LDIF:
+
* Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
dn: uid=useradd,dc=subdomain,dc=example,dc=com
-
uid=useradd
+
uid: useradd
-
givenName=useradd account
+
givenName: useradd account
-
objectClass=top
+
objectClass: top
-
objectClass=person
+
objectClass: person
-
objectClass=organizationalPerson
+
objectClass: organizationalPerson
-
objectClass=inetorgperson
+
objectClass: inetorgperson
-
sn=for ldap script
+
sn: for ldap script
-
cn=useradd account for ldap script
+
cn: useradd account for ldap script
-
userPassword=''password''
+
userPassword: ''password''
* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.
* We intentionally do not place the account within '''ou=people''' so that it is not displayed using '''ldaplist passwd'''.
Line 17: Line 17:
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
-
# Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
+
* Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
dn: ou=people,dc=subdomain,dc=example,dc=com
-
changetype: add
+
changetype: modify
-
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=prummcx,dc=unix,dc=navitaire,dc=com" ;)
+
add: aci
 +
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Current revision

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

  • Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid: useradd
givenName: useradd account
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: for ldap script
cn: useradd account for ldap script
userPassword: password
  • We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
  • We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
  • Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
add: aci
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
Personal tools