eDirectory Account Creation Via LDAP
Articles and Tips: qna
01 Dec 2002
Q.
Would I be able to get you to create an account in eDirectory as follows?
CN=GUESTCST,ou=<wherever>,o=Acadia
This would have a password of whatever you want and has an attribute, preferably called dbaccount (but it could be anything) and the attribute is only accessible after a successful bind.
Besides the fact that the special attribute would require extending the schema (I think), how would I go about achieving the second part? I have tried some things with ACLs, but the attribute is still accessible using an anonymous bind. We want the attribute to be accessible with an authenticated bind. Is this possible?
Mike Microprocessor Miller
A.
Dear Mike: First of all, make sure the attribute is not set public read when you create it. If it's not, then do you want the attribute visible for any authenticated user? This is fun because if you assign rights to [public] or [root] you will get it in an anonymous bind because your LDAP proxy user inherits those rights.
The only way around this that I can think of is putting the proxy user in a different O or OU and only assign rights to Os or OUs where your users are. You can't just block the proxy users' rights because its inherited rights from [Root] or [Public] will prevail.
If you only want it visible to the actual user itself, then you can assign an Access Control List (ACL) just to that user and that should work fine, or if you're running eDirectory v8.6.1 or later, use LDAP to assign rights at the root to the [this] trustee as inheritable, which means if the object matches the authenticated user, it will have the rights.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.