Bind user with rights to change password.

Shaw, Brian bshaw at vsvinc.com
Mon Jan 12 14:16:48 CET 2015 

 

@ Nikolai, sorry for the delay in getting back with you. 

@Jan, nice examples. The only thing I would change is to add a "target"
restriction that says what part of the tree the rule is allowed to act
upon. 

aci: (target="ldap:///ou=People,dc=example,dc=com") (targetattr = "*")
 (version 3.0; acl "Owncloud Bind User"; allow
 (read,compare,search) (userdn = "ldap:///uid=owncloud-bind,ou=Special
 Users,dc=example,dc=com");)
aci: (target="ldap:///ou=People,dc=example,dc=com") (targetattr =
"userPassword")
 (version 3.0;acl "Owncloud Bind
User";allow(read,search,compare,add,write,selfwrite,delete)
 (userdn ="ldap:///uid=owncloud-bind,ou=Special
Users,dc=example,dc=com");)

On 2015-01-09 4:34 pm, Jan Kowalsky wrote: 

> Am 29.12.2014 um 04:20 schrieb bshaw at vsvinc.com:
> 
>> Nikolai, The trick is to create an ACI rule that gives the desired permission to your bind user. I'm not near my LDAP server at the moment to work out an example but if you need one, let me know and when I'm next on that system, I'll work it out. Brian Sent from Nine From: Nikolai Maziashvili <mlist_kolab at cyclinggeorgian.com> Sent: Dec 28, 2014 7:18 PM To: Users Subject: Bind user with rights to change password.
> 
> maybe something like this (unproved):
> 
> # add special bind user for owncloud
> dn: uid=owncloud-bind,ou=Special Users,dc=example,dc=com
> changetype: add
> sn: bind
> uid: owncloud-bind
> objectClass: top
> objectClass: person
> objectClass: inetorgperson
> objectClass: organizationalperson
> givenName: owncloud
> cn: owncloud bind
> userPassword: secret
> 
> # allow user to change password in the specific domain
> dn: dc=example,dc=com
> changetype: modify
> add: aci
> aci: (targetattr = "*") (version 3.0; acl "Owncloud Bind User"; allow
> (read,compare,search) (userdn = "ldap:///uid=owncloud-bind,ou=Special
> Users,dc=example,dc=com");)
> aci: (targetattr = "userPassword") (version 3.0;acl "Owncloud Bind
> User";allow(read,search,compare,add,write,selfwrite,delete)(userdn =
> "ldap:///uid=owncloud-bind,ou=Special Users,dc=example,dc=com");)
> 
> If you have multiple domains you have to do the last step for every
> domain where this bind user should have the ability to change password.
> 
> Regards
> Jan
> 
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users [1]
 

Links:
------
[1] https://lists.kolab.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20150112/07fafa1a/attachment.html>

More information about the users mailing list