Thursday, June 19, 2014

[389-users] Restricted Admin Group Creation -- Help required for the syntax..

Hi

I am trying to create an "Admin" group Policy (ACL) with permissions to
launch the 389-console so the components of that group can add/remove
users on some particular DN.
After a few hours I have managed to create the policy and to assign some
attributes to it which just allows me to browse the admin users but
nothing else...

This is what I have done so far..:

(targetattr = "ntGroupCreateNewGroup || ntUserDeleteAccount ||
ntGroupType || ntUserParms || passwordLockoutDuration ||
ntUserPrimaryGroupId || ntUserScriptPath || passwordGraceLimit ||
creatorsName || ntGroupDeleteGroup || passwordMinAge || userClass ||
ntUserHomeDir || passwordMaxRepeats || name || ntUserAuthFlags ||
passwordMaxAge || accountInactivityLimit || passwordWarning || owner ||
passwordRetryCount || passwordMustChange || ntUserCountryCode ||
passwordTrackUpdateTime || passwordMinCategories || ntUserUnitsPerWeek
|| ntUserLastLogoff || passwordMin8bit || ntUserMaxStorage ||
ntUserComment || ntUserLogonHours || oid || loginShell || ntGroupId ||
ntUserUniqueId || gecos || userPKCS12 || personalTitle || userPassword
|| ntUserPasswordExpired || passwordMinLength || ntUserPriv ||
passwordHistory || passwordExpirationTime || manager || memberUid ||
passwordResetDuration || objectClasses || objectClass ||
passwordGraceUserTime || displayName || ntGroupAttributes ||
ntUserDomainId || ntUserUsrComment || ntUserLastLogon || uid ||
passwordInHistory || lastModifiedBy || ntUserProfile ||
ntUserAcctExpires || accountUnlockTime || description ||
passwordMinUppers || passwordMinLowers || mail || passwordExpWarned ||
passwordResetFailureCount || modifyTimestamp || passwordExp ||
lastModifiedTime || ou || ntUserCodePage || uniqueIdentifier ||
ntUserWorkstations || lastLoginTime || ntUserCreateNewAccount ||
passwordUnlock || ntUniqueId || ntUserFlags || passwordKeepHistory ||
passwordMaxFailure || ntUserBadPwCount || modifiersName ||
ntGroupDomainId || passwordMinDigits || ntUserNumLogons ||
passwordMinTokenLength || ntUserHomeDirDrive || uniqueMember ||
ntUserLogonServer || passwordAllowChangeTime || member ||
passwordStorageScheme || passwordChange || passwordMinAlphas || co || cn
|| memberOf || passwordCheckSyntax || passwordLockout ||
passwordMinSpecials")
(version 3.0;
acl "Enable NEW Group Configuration Administrator Group modification";
allow (read,compare,search,delete,add)
(groupdn = "ldap:///cn=NEW Group
Administrator,ou=Groups,ou=TopologyManagement,o=NetscapeRoot")
;)

Has anybody done anything similar which can be shared? to access the
389-console with restricted permissions rather than using a 3 party
tool?

Recommendations?

Many thanks

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)