Openldap, groups, admin groups, etc
Posted
by
Juan Diego
on Server Fault
See other posts from Server Fault
or by Juan Diego
Published on 2011-06-27T16:18:18Z
Indexed on
2011/06/27
16:24 UTC
Read the original article
Hit count: 423
We have a samba server as PDC with OpenLDAP. So far everything is working, even windows 7 can log on to the Domain.
Here is the tricky part.
We have many departments, each department has it's own IT guys, and these IT guy should be able to create users in their department and change any info of the users in their department.
My Idea was to create 2 groups for each department, For example: Department1 and Admins Department1. Admins Deparment1 has "write" priviledges for members of group Department
dn: ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Admins
dn: cn=Admins Department1,cn=Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Admins Department1
member: uid=jdc,ou=People,dc=mydomain,dc=com,dc=ec
structuralObjectClass: groupOfNames
I dont know if you should make Department1 as part of Domain Users
dn: cn=Deparment1,cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Deparment1
member: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec
Or just create the deparments like this.
dn: cn=Deparment1,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: Deparment1
member: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec
I seems that when you use smbldap tools bydefault the users are part of Domain Users even if you dont have them as part of Domain Users in the memberUid attribute, when I use finger they showup as part of the Domain Users group.
I dont want the Departments Admins to be Domain Admins because they have power over all the users, unless I am mistaken.
I also have trouble with the ACLs. I was trying to create an acl for members of this Admins group, I was trying with this search, but didnt work
ldapsearch -x "(&(objectClass=organizationalPerson)(member=cn=Admins Department1,ou=Group,dc=mydomain,dc=com,dc=ec))"
I am open to suggestions.
© Server Fault or respective owner