0 Replies Latest reply on Nov 19, 2013 3:49 PM by nychawk

    Groups/Roles ACI Procedures for Creating Accounts




      I am trying to  determine the steps I need to perform in order to create a group/role, under "Groups"; "Groups" does not yet exist inside of my directory.


      Inside of "Groups", I wish to create a container named "UserAdmins",  for which users I make as members would be capable of creating accounts for other users.


      In my current environment, in order to create user accounts, admins must be able to add/modify entries in:


      1. People

      2. group

      3. auto.home

      4. aliases


      My questions, given the information below is:


      A. Do my ACI's seem sound for my purposes?

      B. How do I create a second ACI, similar to UserAdmins, but with the  added ability of "deleting" entries as well as add and modify? (say called "SuperUserAdmins").


      -----Create Groups---------------------


      dn: ou=Groups, sub,dc=domain,dc=com

      objectclass: top

      objectclass: organizationalunit

      ou: Groups





      aci: (target="ldap:///dc=sub,dc=domain,dc=com") (targetattr =
        "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =

      dn: ou=Groups, dc=sub,dc=domain,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: Groups


      ------Initial add of Members to UserAdmins--------


      dn: cn=UserAdmins, ou=Groups, dc=sub,dc=domain,dc=com

      cn: UserAdmins

      objectclass: top

      objectclass: groupofuniquenames

      ou: Groups

      uniquemember: uid=smitha, ou=People, dc=sub,dc=domain,dc=com

      uniquemember: uid=youngt, ou=People, dc=sub,dc=domain,dc=com

      uniquemember: uid=weizerb, ou=People, dc=sub,dc=domain,dc=com