Mario Rossi wrote:
I think this is the way to go - slapd config to allow certain groups
to write
to the tree via dn.regex.
Æ-DIR does not rely on host name convention or DIT structure because this is too
inflexible in practice.
Instead the ACLs work their way along the EER which also allows more levels of
delegation:
https://www.ae-dir.com/docs.html#eer
But this is rather off-topic here.
Ciao, Michael.
On 11/30/2016 02:50 PM, Michael Ströder wrote:
> Mario Rossi wrote:
>> Thank you for the information. We use both Puppet and Ansible to manage our
>> servers. Let me add more details:
>>
>> 1. An admin will build 10 new servers via cobbler and use puppet to deploy
>> settings
>> 2. The admin will create a ticket to SecurityTeam who manages
>> openldap to create 10 new ldap entries for the server itself.
> Your security team should come up with a good concept how to delegate server
> entry creation to the right admins.
>
> There are existing approaches for OpenLDAP to achieve this:
>
>
https://www.ae-dir.com/docs.html#role-setup-admin
>
> Ciao, Michael.