0 Replies Latest reply: Nov 19, 2013 9:49 AM by nychawk RSS

    Groups/Roles ACI Procedures for Creating Accounts

    nychawk

      Hello;

       

      I am trying to  determine the steps I need to perform in order to create a group/role, under "Groups"; "Groups" does not yet exist inside of my directory.

       

      Inside of "Groups", I wish to create a container named "UserAdmins",  for which users I make as members would be capable of creating accounts for other users.

       

      In my current environment, in order to create user accounts, admins must be able to add/modify entries in:

       

      1. People

      2. group

      3. auto.home

      4. aliases

       

      My questions, given the information below is:

       

      A. Do my ACI's seem sound for my purposes?

      B. How do I create a second ACI, similar to UserAdmins, but with the  added ability of "deleting" entries as well as add and modify? (say called "SuperUserAdmins").

       

      -----Create Groups---------------------

       

      dn: ou=Groups, sub,dc=domain,dc=com

      objectclass: top

      objectclass: organizationalunit

      ou: Groups

       

       

      -----UserAdmins.aci--------------------

       

      aci: (target="ldap:///dc=sub,dc=domain,dc=com") (targetattr =
        "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
        "ldap:///cn=UserAdmins,ou=Groups,dc=sub,dc=domain,dc=com";)

      dn: ou=Groups, dc=sub,dc=domain,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: Groups

       

      ------Initial add of Members to UserAdmins--------

       

      dn: cn=UserAdmins, ou=Groups, dc=sub,dc=domain,dc=com

      cn: UserAdmins

      objectclass: top

      objectclass: groupofuniquenames

      ou: Groups

      uniquemember: uid=smitha, ou=People, dc=sub,dc=domain,dc=com

      uniquemember: uid=youngt, ou=People, dc=sub,dc=domain,dc=com

      uniquemember: uid=weizerb, ou=People, dc=sub,dc=domain,dc=com