Administrative LDAP user example

From Brandonhutchinson.com

Revision as of 20:59, 7 August 2008 by Hutch (Talk | contribs)
Jump to: navigation, search

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

  1. Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid=useradd
givenName=useradd account
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=for ldap script
cn=useradd account for ldap script
userPassword=password
  • We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
  • We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
  1. Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: add
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=prummcx,dc=unix,dc=navitaire,dc=com" ;)
Personal tools