Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
Has anyone tried this? I get a "Damaged repo file" regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
On Feb 15, 2011, at 14:45 , Simo Sorce wrote: > On Tue, 15 Feb 2011 14:09:07 -0500 > Peter Doherty wrote: > >> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: >> >>> Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, >>> >>> What would you put into this container? >>> >>> >>> >>> rob >> >> The first thing I'm looking to do with it is have a web server that >> has account information stored in LDAP, and to allow users to to >> ldap authentication. The users logging into the web server would be >> > > It is possible to do using LDAP tools and then setting an ACI on the > container to give the user you want full control on that container. > > Simo. Simo, This gave me a good starting point, and after reading some more, I'm starting to wrap my brain around what I want to do and how to do it. LDAP has a steep learning curve, IMHO. Can you recommend any GUI tools for creating/modifying the ACI for the container? I started to try and create an ACI using the ones within FreeIPA as a reference, but if there's a GUI that would be useful too. I checked out Apache Directory Studio which looks nice, but doesn't seem to support the schema that FreeIPA is using. --Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
You can put your users into LDAP groups and have Apache check that the user exists in the specified group. I do this for subversion access (f14 & freeipa 1.2.2). This way I can manage everything over the freeipa webgui without resorting to external tools. - Ben -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Simo Sorce Sent: Tuesday, February 15, 2011 20:46 To: Peter Doherty Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] limit access to a specific CN On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty wrote: > > On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: > > > Peter Doherty wrote: > >> Hello, I'm running Fedora 14 and freeipa 1.2.2-6 > >> > >> > >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) > >> and then create an account that can edit that cn as much as they > >> want, but can't edit the other ones (ie: accounts, groups...)? > >> Any pointers to documentation would be useful. Unfortunately I'm > >> not 100% clear on my terminology, so google searches are leading me > >> a bit astray. > > > > What would you put into this container? > > > > 389-ds certainly supports doing this, depending on what exactly you > > want to do IPA may or may not support it. For example, we look for a > > type of entry only within a given container, so you can't put users > > into another location. > > > > rob > > The first thing I'm looking to do with it is have a web server that > has account information stored in LDAP, and to allow users to to ldap > authentication. The users logging into the web server would be > different from the posix groups that are managed by FreeIPA. I want > to replace htaccess and htpasswd files and use LDAP instead. > It seems like I could create a subsection in LDAP and set up apache to > bind and auth against that. But I also want a seperate ldap admin > account that can only edit this section, and not the rest of the > FreeIPA data. > Thanks. It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty wrote: > > On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: > > > Peter Doherty wrote: > >> Hello, I'm running Fedora 14 and freeipa 1.2.2-6 > >> > >> > >> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) > >> and then create an account that can edit that cn as much as they > >> want, > >> but can't edit the other ones (ie: accounts, groups...)? > >> Any pointers to documentation would be useful. Unfortunately I'm > >> not 100% clear on my terminology, so google searches are leading > >> me a bit astray. > > > > What would you put into this container? > > > > 389-ds certainly supports doing this, depending on what exactly > > you want to do IPA may or may not support it. For example, we look > > for a type of entry only within a given container, so you can't put > > users into another location. > > > > rob > > The first thing I'm looking to do with it is have a web server that > has account information stored in LDAP, and to allow users to to > ldap authentication. The users logging into the web server would be > different from the posix groups that are managed by FreeIPA. I want > to replace htaccess and htpasswd files and use LDAP instead. > It seems like I could create a subsection in LDAP and set up apache > to bind and auth against that. But I also want a seperate ldap > admin account that can only edit this section, and not the rest of > the FreeIPA data. > Thanks. It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, but can't edit the other ones (ie: accounts, groups...)? Any pointers to documentation would be useful. Unfortunately I'm not 100% clear on my terminology, so google searches are leading me a bit astray. What would you put into this container? 389-ds certainly supports doing this, depending on what exactly you want to do IPA may or may not support it. For example, we look for a type of entry only within a given container, so you can't put users into another location. rob The first thing I'm looking to do with it is have a web server that has account information stored in LDAP, and to allow users to to ldap authentication. The users logging into the web server would be different from the posix groups that are managed by FreeIPA. I want to replace htaccess and htpasswd files and use LDAP instead. It seems like I could create a subsection in LDAP and set up apache to bind and auth against that. But I also want a seperate ldap admin account that can only edit this section, and not the rest of the FreeIPA data. Thanks. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, but can't edit the other ones (ie: accounts, groups...)? Any pointers to documentation would be useful. Unfortunately I'm not 100% clear on my terminology, so google searches are leading me a bit astray. What would you put into this container? 389-ds certainly supports doing this, depending on what exactly you want to do IPA may or may not support it. For example, we look for a type of entry only within a given container, so you can't put users into another location. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] limit access to a specific CN
Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, but can't edit the other ones (ie: accounts, groups...)? Any pointers to documentation would be useful. Unfortunately I'm not 100% clear on my terminology, so google searches are leading me a bit astray. Thanks, Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users