####STEP1 – add semi-manager user
Sampledesk is a user, who edits entrie’s data via ldap cliant (ex. LdapAdmin.exe ).
$ vi ~/tmp/add_helpdesk_dept_and_user.ldif
dn: cn=HelpDesk,dc=my-domain,dc=com
objectclass: organizationalRole
cn: HelpDesk
dn: cn=sampledesk,ou=helpdesk,dc=smart-heim,dc=com
objectClass: person
cn: sampledesk
sn: sampledesk
userPassword: {SHA}YyylynHcSfZ4rukYJCWrHe34L+U=
$ /usr/local/openldap/bin/ldapadd -x \
-D cn=Manager,dc=my-domain,dc=com -w $ROOT_PW \
-f ~/tmp/add_helpdesk_dept_and_user.ldif
####STEP2 edit slapd.conf
You add below “access to” settings in slapd.conf. And restart openldap (slapd).
$ su -
# vi /usr/local/openldap/etc/openldap/slapd.conf
:
access to attrs=mail,displayName,memberSid,uidAlias
by dn="cn=samplehelp,ou=HelpDesk,dc=my-domain,dc=com" write
by anonymous read
by * none
access to attrs=userPassword
by dn="cn=samplehelp,ou=HelpDesk,dc=my-domain,dc=com" write
by anonymous auth
by * none
access to *
by dn="cn=samplehelp,ou=HelpDesk,dc=my-domain,dc=com" read
by anonymous read
by * none
####For Your Information – priority of access
|none | 0 |=0 |
|disclose | d |=d |
|auth | x |=xd |
|compare | c |=cxd |
|search | s |=scxd |
|read | r |=rscxd |
|write | w |=wrscxd|