On Wed, Feb 16, 2011 at 09:28:10AM -0500, Peter Doherty wrote: > > On Feb 16, 2011, at 04:10 , Sumit Bose wrote: > > >On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote: > >> > >>On Feb 15, 2011, at 14:45 , Simo Sorce wrote: > >> > >>>On Tue, 15 Feb 2011 14:09:07 -0500 > >>>Peter Doherty <[email protected]> wrote: > >>> > >>>>On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: > >>>> > >>>>>Peter Doherty wrote: > >>>>>>Hello, I'm running Fedora 14 and freeipa 1.2.2-6 > >>>>>> > >>>>>> > >>>>>>Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) > >>>>>>and then create an account that can edit that cn as much as they > >>>>>>want, > >>>>>><snip> > >>>>>> > >>>>> > >>>>>What would you put into this container? > >>>>> > >>>>><snip> > >>>>> > >>>>>rob > >>>> > >>>>The first thing I'm looking to do with it is have a web server that > >>>>has account information stored in LDAP, and to allow users to to > >>>>ldap authentication. The users logging into the web server > >>>>would be > >>>><snip> > >>> > >>>It is possible to do using LDAP tools and then setting an ACI on the > >>>container to give the user you want full control on that container. > >>> > >>>Simo. > >> > >>Simo, > >> > >>This gave me a good starting point, and after reading some more, > >>I'm starting to wrap my brain around what I want to do and how > >>to do it. > >>LDAP has a steep learning curve, IMHO. > >>Can you recommend any GUI tools for creating/modifying the ACI > >>for the container? I started to try and create an ACI using the > >>ones within FreeIPA as a reference, but if there's a GUI that > >>would be useful too. I checked out Apache Directory Studio > >>which looks nice, but doesn't seem to support the schema that > >>FreeIPA is using. > > > >I use Apache Directory Studio to edit FreeIPA LDAP objects and I can > >also see and edit ACIs. The schema shouldn't be a problem, because the > >editor can read the schema data from the LDAP server. Which kind of > >problems are you seeing ? > > Well, Apache Directory Studio has ACI editor (looks like this: > http://directory.apache.org/studio/screenshots.data/aci_visual_1.png > ) > so you don't edit the text directly, but rather use a GUI, which > builds the policy in text and inserts it when you're done editing. > But it seems to use a different schema than FreeIPA is using...
This plugin is for Apache Directory Server only. AFAIK there is nothing like a standard for ACIs in directory servers and so every directory server has his own concept of access control. bye, Sumit > > Peter _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
