Huang, Tony wrote: > Hi Rob, > > Thanks for the reply. This is what I have done so far. > > 1. Installed my custom container - cn=Multicast,dc=example,dc=com > 2. Created a group called x500 - > cn=x500,cn=groups,cn=accounts,dc=example,dc=com > 3. Added my account "tony" into the x500 group > 4. Created a x500 role > 5. Created a x500 privilege > 6. Created an IPA Permission - permission box checked, grants all access > (all, write, delete, read, etc), subtree is > cn=Multicast,dc=example,dc=com, memberOf has x500 group. > 7. Assigned the permission to the x500 privilege, and assigned the > privilege to x500 role. > 8. Using Jxplorer (LDAP browser) and logged in using > "uid=tony,cn=users,cn=accounts,dc=example,dc=com" > 9. Try adding/deleting entries under cn=Multicast,dc=example,dc=com and > get "Insufficient Access" > 10. If I associate my account "tony" with the "admins" group, I will be > able to add/delete/write. > > I also would like to assign anonymous read/search/compare access to > cn=Multicast,dc=example,dc=com > > nonetheless, it works if I add the ACIs manually: > > ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com > <http://server.example.com> -x > > dn: cn=Multicast,dc=example,dc=com > changetype: modify > add: aci > aci: (targetattr=*) (version 3.0; acl "Allow anonymous search"; > allow (read,search,compare) userdn= "ldap:///anyone";;)
This is only the anonymous ACI, what did you manually add for the group ACI? > What am I missing here? You can use ipa permission-show <name> --all --raw to see the generated ACI. I sometimes find that easier to wrap my head around. You may notice important differences between your working and non-working configs. rob > > Thanks!!! > > --Tony > > > > > On Mon, Aug 14, 2023 at 10:39 AM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Super Tony via FreeIPA-users wrote: > > Hi, > > > > I have an IPA server running on RHEL 8.8. I added a subtree on top > of my domain - cn=Multicast,dc=example,dc=com, and I need to be able > to query anonymously for things that live underneath cn=Multicast, > and give users that belong to > cn=x500,cn=groups,cn=accounts,dc=example,dc=com write access. > > > > I am able to add ACI the traditional way against dn: > cn=Multicast,dc=example,dc=com and make anonymous search plus write > access work if I add it via ldapadd, however, I am unable to make it > work the way I want it if I add the ACI via IPA Permissions from the > IPA admin GUI. > > > > What am I missing here? > > It's impossible to say without seeing what you've done. > > rob > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
