Administrative LDAP user example


Jump to: navigation, search

In our environment, we allow another team to add and remove LDAP users via a Perl script. The name of the account is uid=useradd,dc=subdomain,dc=example,dc=com.

  • Create the account using the following LDIF:
dn: uid=useradd,dc=subdomain,dc=example,dc=com
uid: useradd
givenName: useradd account
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: for ldap script
cn: useradd account for ldap script
userPassword: password
  • We intentionally do not place the account within ou=people so that it is not displayed using ldaplist passwd.
  • We also do not make the account a member of the objectClasses posixAccount and shadowAccount so that various non-applicable attributes are not required (e.g., homeDirectory, loginShell, etc.).
  • Modify the ACI on ou=people so that this account can add and remove LDAP accounts.
dn: ou=people,dc=subdomain,dc=example,dc=com
changetype: modify
add: aci
aci=(targetattr="*") (version 3.0; acl "Allow useradd to modify ou=people"; allow (all) userdn="ldap:///uid=useradd,dc=subdomain,dc=example,dc=com" ;)
Personal tools