Administrative LDAP user example

From Brandonhutchinson.com

Revision as of 21:00, 7 August 2008 by Hutch (Talk | contribs)

(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

Create the account using the following LDIF:

dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid=useradd
givenName=useradd account
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=for ldap script
cn=useradd account for ldap script
userPassword=password

We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.

We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).

Modify the ACI on ou=people so that this account can add and remove LDAP accounts.

dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: add
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)

Retrieved from "http://brandonhutchinson.com/wiki/Administrative_LDAP_user_example"

Administrative LDAP user example

From Brandonhutchinson.com

Views

Personal tools

Navigation

Search

Toolbox