[Lam-public] adding profile for delegated management

Tue, 17 Jul 2012 13:10:51 -0700 

I am trying to setup our copy of LAM pro so that our customer
service personnel can manage users in a single OU in our ldap tree, and
have two questions..

1. In the profile editor, I can specify all the customer service accounts
that can login by setting security to "fixed list" and specifying them,
however, that is a bit of a long list, that I don't want to maintain.
 Instead, I would like to search my ldap domain for members of the group
'cn=cust_support,ou=group,dc=example,dc=com" and allow anyone in that ldap
group to be able to log into the support Profile.  I'm not sure how to
structure the ldap filter to make that work.

2. I can make the above work with a fixed list, however, I am struggling
with the OpenLDAP permissions.  I have a Centos 6 server, which uses the
fun database config.  I am trying to set the olcAccess values for
olcDatabase={2}bdb,cn=config database to the following
{0}to attrs=userPassword by self write by anonymous auth by
dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * none
{1}to dn.subtree="ou=clientUsers,ou=People,dc=example,dc=com" by self write
by dn.children="ou=admins,dc=example,dc=com" write by
group.exact="cn=cust_support,ou=group,dc=example,dc=com" write by * read
{2}to * by self write by dn.children="ou=admins,dc=example,dc=com" write by
* read

basically, admins can do anything, cust_support can basically manage the ou
subtree (I added them to rule {0} to see if the password attribute was a
problem, but still not working)

I have tried making cn=cust_support,ou=group,dc=example,dc=com both a
posixGroup, and a groupOfNames.  Both of them, when I go to save a new
users, I get "insufficient access"

Any idea what kind of things i need to do to adjust my ldap permissions to
properly delegate?

Thanks,
Brian

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public

Reply via email to