Re: [Freeipa-users] limit access to a specific CN
On Feb 16, 2011, at 04:10 , Sumit Bose wrote: On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote: On Feb 15, 2011, at 14:45 , Simo Sorce wrote: On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, snip What would you put into this container? snip rob The first thing I'm looking to do with it is have a web server that has account information stored in LDAP, and to allow users to to ldap authentication. The users logging into the web server would be snip It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. Simo, This gave me a good starting point, and after reading some more, I'm starting to wrap my brain around what I want to do and how to do it. LDAP has a steep learning curve, IMHO. Can you recommend any GUI tools for creating/modifying the ACI for the container? I started to try and create an ACI using the ones within FreeIPA as a reference, but if there's a GUI that would be useful too. I checked out Apache Directory Studio which looks nice, but doesn't seem to support the schema that FreeIPA is using. I use Apache Directory Studio to edit FreeIPA LDAP objects and I can also see and edit ACIs. The schema shouldn't be a problem, because the editor can read the schema data from the LDAP server. Which kind of problems are you seeing ? Well, Apache Directory Studio has ACI editor (looks like this: http://directory.apache.org/studio/screenshots.data/aci_visual_1.png ) so you don't edit the text directly, but rather use a GUI, which builds the policy in text and inserts it when you're done editing. But it seems to use a different schema than FreeIPA is using... Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
On Wed, Feb 16, 2011 at 09:28:10AM -0500, Peter Doherty wrote: On Feb 16, 2011, at 04:10 , Sumit Bose wrote: On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote: On Feb 15, 2011, at 14:45 , Simo Sorce wrote: On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, snip What would you put into this container? snip rob The first thing I'm looking to do with it is have a web server that has account information stored in LDAP, and to allow users to to ldap authentication. The users logging into the web server would be snip It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. Simo, This gave me a good starting point, and after reading some more, I'm starting to wrap my brain around what I want to do and how to do it. LDAP has a steep learning curve, IMHO. Can you recommend any GUI tools for creating/modifying the ACI for the container? I started to try and create an ACI using the ones within FreeIPA as a reference, but if there's a GUI that would be useful too. I checked out Apache Directory Studio which looks nice, but doesn't seem to support the schema that FreeIPA is using. I use Apache Directory Studio to edit FreeIPA LDAP objects and I can also see and edit ACIs. The schema shouldn't be a problem, because the editor can read the schema data from the LDAP server. Which kind of problems are you seeing ? Well, Apache Directory Studio has ACI editor (looks like this: http://directory.apache.org/studio/screenshots.data/aci_visual_1.png ) so you don't edit the text directly, but rather use a GUI, which builds the policy in text and inserts it when you're done editing. But it seems to use a different schema than FreeIPA is using... This plugin is for Apache Directory Server only. AFAIK there is nothing like a standard for ACIs in directory servers and so every directory server has his own concept of access control. bye, Sumit Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
Is there a series of RPMS I can download? ie can someone tell which ones I need for the server and which ones I need for the client and in what order I install? I can get the rpms off the store, just not via yum as the repo is dead for meeither its a remote issue, or our firewall is preventing a connection by some means. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
Steven Jones wrote: Is there a series of RPMS I can download? ie can someone tell which ones I need for the server and which ones I need for the client and in what order I install? I can get the rpms off the store, just not via yum as the repo is dead for meeither its a remote issue, or our firewall is preventing a connection by some means. regards You can find the rpms in http://freeipa.com/downloads/devel/rpms/ rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
