[Freeipa-users] limit access to a specific CN
Sumit Bose
sbose at redhat.com
Wed Feb 16 17:02:31 UTC 2011
On Wed, Feb 16, 2011 at 09:28:10AM -0500, Peter Doherty wrote:
>
> On Feb 16, 2011, at 04:10 , Sumit Bose wrote:
>
> >On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote:
> >>
> >>On Feb 15, 2011, at 14:45 , Simo Sorce wrote:
> >>
> >>>On Tue, 15 Feb 2011 14:09:07 -0500
> >>>Peter Doherty <doherty at hkl.hms.harvard.edu> wrote:
> >>>
> >>>>On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
> >>>>
> >>>>>Peter Doherty wrote:
> >>>>>>Hello, I'm running Fedora 14 and freeipa 1.2.2-6
> >>>>>>
> >>>>>>
> >>>>>>Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
> >>>>>>and then create an account that can edit that cn as much as they
> >>>>>>want,
> >>>>>><snip>
> >>>>>>
> >>>>>
> >>>>>What would you put into this container?
> >>>>>
> >>>>><snip>
> >>>>>
> >>>>>rob
> >>>>
> >>>>The first thing I'm looking to do with it is have a web server that
> >>>>has account information stored in LDAP, and to allow users to to
> >>>>ldap authentication. The users logging into the web server
> >>>>would be
> >>>><snip>
> >>>
> >>>It is possible to do using LDAP tools and then setting an ACI on the
> >>>container to give the user you want full control on that container.
> >>>
> >>>Simo.
> >>
> >>Simo,
> >>
> >>This gave me a good starting point, and after reading some more,
> >>I'm starting to wrap my brain around what I want to do and how
> >>to do it.
> >>LDAP has a steep learning curve, IMHO.
> >>Can you recommend any GUI tools for creating/modifying the ACI
> >>for the container? I started to try and create an ACI using the
> >>ones within FreeIPA as a reference, but if there's a GUI that
> >>would be useful too. I checked out Apache Directory Studio
> >>which looks nice, but doesn't seem to support the schema that
> >>FreeIPA is using.
> >
> >I use Apache Directory Studio to edit FreeIPA LDAP objects and I can
> >also see and edit ACIs. The schema shouldn't be a problem, because the
> >editor can read the schema data from the LDAP server. Which kind of
> >problems are you seeing ?
>
> Well, Apache Directory Studio has ACI editor (looks like this:
> http://directory.apache.org/studio/screenshots.data/aci_visual_1.png
> )
> so you don't edit the text directly, but rather use a GUI, which
> builds the policy in text and inserts it when you're done editing.
> But it seems to use a different schema than FreeIPA is using...
This plugin is for Apache Directory Server only. AFAIK there is nothing
like a standard for ACIs in directory servers and so every directory
server has his own concept of access control.
bye,
Sumit
>
> Peter
More information about the Freeipa-users
mailing list