Delegating rights to groups of users
Fеnикs
fenuksuh at ya.ru
Tue Feb 4 13:32:08 CET 2014
Thanks a lot for those links.
I was able to give standard group "HR Managers" rights to add/remove members
to all groups and add/edit/delete new users.
However I can not deny adding nsRoleDN attribute when creating users.
Here's the aci entry :
(targetattr !="nsroledn") (version 3.0;acl "HR Group Permissions to edit
users";allow (write,add,delete)(groupdn = "ldap:///cn=HR
Managers,ou=groups,dc=domain,dc=tld");)
Adding roles when creating new user works fine. Editing roles of existing user
gives "Internal error".
So, anyone with such aci can create a user with kolab-admin role.
Any ideas how to work around it? I need them to only add and edit regular
users.
Regards,
Aleksej
В письме от Monday 03 February 2014 19:32:39 вы писали:
> Hi Aleksej
>
> make yourself familar with how LDAP ACLs are beeing stored and
> maintenend in 389ds. You can give Groups write/read access to certain
> fields on the whole directory or on subtrees and then assign people this
> group. Kolab-Webadmin will then provide him write access to whatever
> attributes he got permissions for.
>
> http://directory.fedoraproject.org/wiki/Howto:AccessControl
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/
> 8.2/html/Administration_Guide/Managing_Access_Control.html
>
> This is one of the example ACIs you find on a vanilla installation
>
> $ ldapsearch -xW -D "cn=Directory Manager" -b "dc=example,dc=org" aci
> [...]
> # People, example.org
> dn: ou=People,dc=example,dc=org
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
> Resources)")(version 3.0;acl "HR Group Permissions";allow
> (write)(groupdn = "ldap:///cn=HR
> Managers,ou=groups,dc=example,dc=org");)
>
> It's all done in ldap :-)
>
> --
> Regards
> Daniel
More information about the users
mailing list