On Thu, Apr 29, 2010 at 2:17 PM, Andreas Hasenack <andr...@canonical.com> wrote: >>> - - basic ACLs to protect content that is not even there yet (like >>> userPassword, krb5key, samba hashes, etc) >>> - - basic ACLs to allow for group-delegated based administration >> >> The two points above probably discard using phpldapadmin (and most web > > The ACLs? > >> tools). I haven't looked for long, but it used a special user with >> global privileges, so once you log in the web, you can do (nearly) >> anything. > > They probably ask for the rootdn. In that case, just give them the DN of > a user that is a member of the ldap admin group, it has the exact same > effect.
Yes, the ACLs, because I'm not thinking on a single user with full privileges and many users without any privileges. Let say, I would like the DNS admins to modify their entries, and the "user" administrator to create or modify user entries. That means giving any of them only partial privileges. If you use any kind of 'proxy' (as phpldapadmin) it must be aware of existing ACL and the most sensible way to acomplish that is to let the ldap server evaluate them, using direct identification against the ldap server. The phpldapadmin I remember (it might have evolved) has a single user and wasn't capable to do this. Javier Palacios -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
