You can put your users into LDAP groups and have Apache check that the user exists in the specified group. I do this for subversion access (f14 & freeipa 1.2.2). This way I can manage everything over the freeipa webgui without resorting to external tools.
- Ben -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Simo Sorce Sent: Tuesday, February 15, 2011 20:46 To: Peter Doherty Cc: [email protected] Subject: Re: [Freeipa-users] limit access to a specific CN On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty <[email protected]> wrote: > > On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: > > > Peter Doherty wrote: > >> Hello, I'm running Fedora 14 and freeipa 1.2.2-6 > >> > >> > >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) > >> and then create an account that can edit that cn as much as they > >> want, but can't edit the other ones (ie: accounts, groups...)? > >> Any pointers to documentation would be useful. Unfortunately I'm > >> not 100% clear on my terminology, so google searches are leading me > >> a bit astray. > > > > What would you put into this container? > > > > 389-ds certainly supports doing this, depending on what exactly you > > want to do IPA may or may not support it. For example, we look for a > > type of entry only within a given container, so you can't put users > > into another location. > > > > rob > > The first thing I'm looking to do with it is have a web server that > has account information stored in LDAP, and to allow users to to ldap > authentication. The users logging into the web server would be > different from the posix groups that are managed by FreeIPA. I want > to replace htaccess and htpasswd files and use LDAP instead. > It seems like I could create a subsection in LDAP and set up apache to > bind and auth against that. But I also want a seperate ldap admin > account that can only edit this section, and not the rest of the > FreeIPA data. > Thanks. It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
