On Wed, Feb 16, 2011 at 09:28:10AM -0500, Peter Doherty wrote:
> 
> On Feb 16, 2011, at 04:10 , Sumit Bose wrote:
> 
> >On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote:
> >>
> >>On Feb 15, 2011, at 14:45 , Simo Sorce wrote:
> >>
> >>>On Tue, 15 Feb 2011 14:09:07 -0500
> >>>Peter Doherty <dohe...@hkl.hms.harvard.edu> wrote:
> >>>
> >>>>On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
> >>>>
> >>>>>Peter Doherty wrote:
> >>>>>>Hello,  I'm running Fedora 14 and freeipa 1.2.2-6
> >>>>>>
> >>>>>>
> >>>>>>Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
> >>>>>>and then create an account that can edit that cn as much as they
> >>>>>>want,
> >>>>>><snip>
> >>>>>>
> >>>>>
> >>>>>What would you put into this container?
> >>>>>
> >>>>><snip>
> >>>>>
> >>>>>rob
> >>>>
> >>>>The first thing I'm looking to do with it is have a web server that
> >>>>has account information stored in LDAP, and to allow users to to
> >>>>ldap authentication.  The users logging into the web server
> >>>>would be
> >>>><snip>
> >>>
> >>>It is possible to do using LDAP tools and then setting an ACI on the
> >>>container to give the user you want full control on that container.
> >>>
> >>>Simo.
> >>
> >>Simo,
> >>
> >>This gave me a good starting point, and after reading some more,
> >>I'm starting to wrap my brain around what I want to do and how
> >>to do it.
> >>LDAP has a steep learning curve, IMHO.
> >>Can you recommend any GUI tools for creating/modifying the ACI
> >>for the container?  I started to try and create an ACI using the
> >>ones within FreeIPA as a reference, but if there's a GUI that
> >>would be useful too.  I checked out Apache Directory Studio
> >>which looks nice, but doesn't seem to support the schema that
> >>FreeIPA is using.
> >
> >I use Apache Directory Studio to edit FreeIPA LDAP objects and I can
> >also see and edit ACIs. The schema shouldn't be a problem, because the
> >editor can read the schema data from the LDAP server. Which kind of
> >problems are you seeing ?
> 
> Well, Apache Directory Studio has ACI editor (looks like this:
> http://directory.apache.org/studio/screenshots.data/aci_visual_1.png
> )
> so you don't edit the text directly, but rather use a GUI, which
> builds the policy in text and inserts it when you're done editing.
> But it seems to use a different schema than FreeIPA is using...

This plugin is for Apache Directory Server only. AFAIK there is nothing
like a standard for ACIs in directory servers and so every directory
server has his own concept of access control.

bye,
Sumit

> 
> Peter

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to