Peter Doherty wrote:

On Feb 16, 2011, at 04:10 , Sumit Bose wrote:

On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote:

On Feb 15, 2011, at 14:45 , Simo Sorce wrote:

On Tue, 15 Feb 2011 14:09:07 -0500
Peter Doherty <> wrote:

On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:

Peter Doherty wrote:
Hello, I'm running Fedora 14 and freeipa 1.2.2-6

Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
and then create an account that can edit that cn as much as they

What would you put into this container?



The first thing I'm looking to do with it is have a web server that
has account information stored in LDAP, and to allow users to to
ldap authentication. The users logging into the web server would be

It is possible to do using LDAP tools and then setting an ACI on the
container to give the user you want full control on that container.



This gave me a good starting point, and after reading some more, I'm
starting to wrap my brain around what I want to do and how to do it.
LDAP has a steep learning curve, IMHO.
Can you recommend any GUI tools for creating/modifying the ACI for
the container? I started to try and create an ACI using the ones
within FreeIPA as a reference, but if there's a GUI that would be
useful too. I checked out Apache Directory Studio which looks nice,
but doesn't seem to support the schema that FreeIPA is using.

I use Apache Directory Studio to edit FreeIPA LDAP objects and I can
also see and edit ACIs. The schema shouldn't be a problem, because the
editor can read the schema data from the LDAP server. Which kind of
problems are you seeing ?

Well, Apache Directory Studio has ACI editor (looks like this: )
so you don't edit the text directly, but rather use a GUI, which builds
the policy in text and inserts it when you're done editing.
But it seems to use a different schema than FreeIPA is using...


You can read about 389-ds acis at:

It has 3 basic parts: target, permissions, bind rule

In this case the bind rule is the user you want to allow editing.

The rest depends on whether you want to restrict your user at all. If you want it to be able to do anything you can probably get away with putting something like this into cn=yourcontainer,dc=example,dc=com (I haven't tested this):

aci: (targetattr="*")(version 3.0; acl "Apache access Account"; allow (all) userdn= "ldap:///uid=apache,cn=yourcontainer,dc=example,dc=com";;)


Freeipa-users mailing list

Reply via email to