[Fedora-directory-users] User Account Management

Paxton, Darren darren.paxton at mercer.com
Mon Mar 5 11:36:23 UTC 2007 

Hi all

I've managed to get a few features that I'd been struggling with working
on FDS, however I'd appreciate any guidance with the following:

Our service desk is outsourced and I'm looking to replace an existing
NIS implementation with LDAP (probably Redhat, but until we prove it to
be reliable I'm sticking with FDS for now).

I'm trying to avoid using the Administrator accounts set up in
O=NetscapeRoot and create user accounts within the main
dc=example,dc=com schema and give them access to the relevant subtrees
to be able to create user accounts, reset passwords etc - effectively
delegating restricted admin access whilst still ensuring the security
model.

I thought i had achieved this by setting an Access Role on the target OU
and specifying that a group I had already created would have full access
to all attributes (I can refine this later to restrict down to the bare
minimum).

Below is the syntax obtained from the GUI console when setting up the
restriction

(targetattr = "*") 
(target = "ldap:///ou=Laser,dc=example,dc=com") 
(version 3.0;
acl "Sdesk";
allow (all)
(groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com")
;)

however, when I attempt to add a user via the newuser.pl script I
obtained from netauth, I get the following:

failed to add entry: Insufficient 'write' privilege to the
'userPassword' attribute at ./newuser.pl line 232, <DATA> line 228.

Has anyone implemented a security model like this and if so, would they
be able to share any experiences.

Thanks

Darren




--
Darren Paxton, European Midrange Systems Senior Engineer
Centralised Operations | MMC Global Technology Infrastructure (MGTI)
Mercer Human Resource Consulting | Mercury Court, Tithebarn Street,
Liverpool, L2 2QH, Merseyside, UK
+44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 |
darren.paxton at mercer.com <file://'mailto:darren.paxton at mercer.com'> 
www.mmc.com <file://'http://www.mmc.com'>  	


This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.

Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070305/06049a8d/attachment.htm>

More information about the Fedora-directory-users mailing list