On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
Hello Martin and List
Thanks for the answer and Help.
I mean my big Problem is to understand the way to configure a ACI :-(.
I can't found any example or docs to configure this correct :-(.
I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
professional :-(..
I make this, for all LDAP configured Apps
ipa group-add systemers --nonposix #group
ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0
#forever-passwords
ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
--shell=/usr/sbin/nologin --email="" --random #user
This user (ldapbind) is only in group systemers
But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...
mailAlternateAddress is in "objectClass mailrecipient"
I mean I must have a ACI like
access to attribute= ............
Have any a hint or link to understand this Problem?
Thanks for a answer and help,
Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:
Hello,
IPA 4.3.1
I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
for this, but now I cant read this Attributes :-(.
Is this the actual way to implement a System Account
# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D
https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
The IPA Docs have no time stamp to found out, is this actual or old :-(.
Thanks for a answer,
Hi Gunther,
that LDIF look ok to me.
Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.
See the following document for a step-by-step guide on how to write ACIs:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):
"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
"""
save it to file and then call
ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
