Administrative LDAP user example

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (21:10, 7 August 2008) (edit) (undo)
 
Line 1: Line 1:
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.
In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is '''uid=useradd,dc=subdomain,dc=example,dc=com'''.
-
# Create the account using the following LDIF:
+
* Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid: useradd
uid: useradd
Line 17: Line 17:
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
* We also do not make the account a member of the objectClasses '''posixAccount''' and '''shadowAccount''' so that various non-applicable attributes are not required (e.g., '''homeDirectory''', '''loginShell''', etc.).
-
# Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
+
* Modify the ACI on '''ou=people''' so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
dn: ou=people,dc=subdomain,dc=example,dc=com
-
changetype: add
+
changetype: modify
 +
add: aci
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Current revision

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

  • Create the account using the following LDIF: 
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid: useradd
givenName: useradd account
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: for ldap script
cn: useradd account for ldap script
userPassword: password
  • We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
  • We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
  • Modify the ACI on ou=people so that this account can add and remove LDAP accounts. 
dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
add: aci
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
Retrieved from "http://brandonhutchinson.com/wiki/Administrative_LDAP_user_example"
Personal tools