You can put your users into LDAP groups and have Apache check
that the user exists in the specified group. I do this for subversion
access (f14 & freeipa 1.2.2). This way I can manage everything over
the freeipa webgui without resorting to external tools.

- Ben

-----Original Message-----
[] On Behalf Of Simo Sorce
Sent: Tuesday, February 15, 2011 20:46
To: Peter Doherty
Subject: Re: [Freeipa-users] limit access to a specific CN

On Tue, 15 Feb 2011 14:09:07 -0500
Peter Doherty <> wrote:

> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
> > Peter Doherty wrote:
> >> Hello,  I'm running Fedora 14 and freeipa 1.2.2-6
> >>
> >>
> >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) 
> >> and then create an account that can edit that cn as much as they 
> >> want, but can't edit the other ones (ie: accounts, groups...)?
> >> Any pointers to documentation would be useful. Unfortunately I'm 
> >> not 100% clear on my terminology, so google searches are leading me 
> >> a bit astray.
> >
> > What would you put into this container?
> >
> > 389-ds certainly supports doing this, depending on what exactly you 
> > want to do IPA may or may not support it. For example, we look for a 
> > type of entry only within a given container, so you can't put users 
> > into another location.
> >
> > rob
> The first thing I'm looking to do with it is have a web server that 
> has account information stored in LDAP, and to allow users to to ldap 
> authentication.  The users logging into the web server would be 
> different from the posix groups that are managed by FreeIPA.  I want 
> to replace htaccess and htpasswd files and use LDAP instead.
> It seems like I could create a subsection in LDAP and set up apache to 
> bind and auth against that.  But I also want a seperate ldap admin 
> account that can only edit this section, and not the rest of the 
> FreeIPA data.
> Thanks.

It is possible to do using LDAP tools and then setting an ACI on the
container to give the user you want full control on that container.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to