Saludos Alguien ha probado esto del Ldap+ MultiAdmin probé con lo que pusieron pero me da error.
-----Original Message----- From: Leandro <lreye...@nauta.cu> To: Arian Molina Aguilera <linuxc...@teknik.io>, Lista cubana de soporte técnico en Tecnologias Libres <gutl-l@listas.jovenclub.cu> Date: Fri, 17 May 2019 23:22:26 -0400 (GMT-04:00) Subject: [Gutl-l] Re: Duda Ldap+ MultiAdmin Gracias pruebo y les comento como me fue ---Desde mi teléfono con SIJÚ El May 17, 2019 6:42:13 PM UTC, Arian Molina Aguilera <linuxc...@teknik.io> escribió: El 17/5/19 a las 14:07, Leandro escribió: > Si openldap debían > aquí tienes como hacerlo https://ludopoitou.com/2011/01/10/multiple-directory-administrative-users/ [https://ludopoitou.com/2011/01/10/multiple-directory-administrative-users/] Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, … OpenDJ <http://opendj.forgerock.org [http://opendj.forgerock.org/]> has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers. The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry. Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user. Create a file newAdmin.ldif dn: cn=Second Admin,cn=Root DNs,cn=config cn: Second Admin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: ds-cfg-root-dn-user sn: Second Admin ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config userPassword: password42 ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f newAdmin.ldif Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards : $ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw The LDAP password modify operation was successful Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2. Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix. So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory. In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service. _______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
_______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
