Re: [Freeipa-users] Best and Secure Way for a System Account
Hello, many, many thanks, this was the Problem ;-) now I have a modifying entry "cn=users,cn=accounts,dc=example,dc=com" :-))) So now I hope I can configure my dovecot Server and the mailAlternatAddress was found! Thanks again. Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz: > On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote: > > Hello, > > > > Thanks for the answer, > > > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List, > >>> > >>> Pardon me, but anything is wrong with the ldif i > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: > > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie > > nt)") (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > > "" > > > > but what is wrong ? > > the value for the aci attribute spans multiple lines. In a ldif file a > continuation line has to start with a space. Try > > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien > t)") (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > > >>> I have search and read now any Days, but this FreeIPA / LDAP Problem > >>> have > >>> a to high level for me :-(. > >>> > >>> Pleas help again.. > >>> > >>> Thanks for a answer > >>> > >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > > Hello Martin and List > > > > Thanks for the answer and Help. > > > > I mean my big Problem is to understand the way to configure a ACI :-(. > >>> > >>> # ldapmodify -x -D 'cn=Directory Manager' -W > >>> > >>>dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > >>>changetype: add > >>>objectclass: account > >>>objectclass: simplesecurityobject > >>>uid: system > >>>userPassword: secret123 > >>>passwordExpirationTime: 20380119031407Z > >>>nsIdleTimeout: 0 > >>> > >>> > >>> ^D > >>> > >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>> > >>> The IPA Docs have no time stamp to found out, is this actual or old > >>> > >>> :-(. > >>> > >>> Thanks for a answer, > >> > >> Hi Gunther, > >> > >> that LDIF look ok to me. > >> > >> Do not forget that you must set up the correct ACIs in order for the > >> system account to see the 'mailAlternaleAddress' attribute. > > See the following document for a step-by-step guide on how to write > ACIs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/ > 10 > /ht > ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually. > h > tml > > To allow the system account read access to your custom attributes, you > can use LDIF like this (untested, hopefully I got it right from the top > of my head): > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci > pi > ent )")(version 3.0; acl "Allow system account to read mail address"; > allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > """ > save it to file and then call > > ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > > to add this ACI to cn=users subtree. The ACI then applies to all > entries > in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote: Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) "" but what is wrong ? the value for the aci attribute spans multiple lines. In a ldif file a continuation line has to start with a space. Try dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. See the following document for a step-by-step guide on how to write ACIs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 /ht ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h tml To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head): """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi ent )")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) """ save it to file and then call ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree. -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 10/21/2016 08:05 AM, Günther J. Niederwimmer wrote: Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) "" but what is wrong ? Sorry, I don't know, I thought it was complaining about the DN line format. I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. See the following document for a step-by-step guide on how to write ACIs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 /ht ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h tml To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head): """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi ent )")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) """ save it to file and then call ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > > Hello Martin and List, > > > > Pardon me, but anything is wrong with the ldif i > > > > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif > > Enter LDAP Password: > > ldapmodify: invalid format (line 5) entry: > > "cn=users,cn=accounts,dc=4gjn,dc=com" > > dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) "" but what is wrong ? > > I have search and read now any Days, but this FreeIPA / LDAP Problem have > > a to high level for me :-(. > > > > Pleas help again.. > > > > Thanks for a answer > > > > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List > >>> > >>> Thanks for the answer and Help. > >>> > >>> I mean my big Problem is to understand the way to configure a ACI :-(. > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > > > ^D > > > > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > > The IPA Docs have no time stamp to found out, is this actual or old > > :-(. > > > > Thanks for a answer, > > Hi Gunther, > > that LDIF look ok to me. > > Do not forget that you must set up the correct ACIs in order for the > system account to see the 'mailAlternaleAddress' attribute. > >> > >> See the following document for a step-by-step guide on how to write ACIs: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 > >> /ht > >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h > >> tml > >> > >> To allow the system account read access to your custom attributes, you > >> can use LDIF like this (untested, hopefully I got it right from the top > >> of my head): > >> > >> """ > >> dn: cn=users,cn=accounts,dc=example,dc=com > >> changetype: modify > >> add: aci > >> aci: > >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi > >> ent )")(version 3.0; acl "Allow system account to read mail address"; > >> allow(read, > >> search, compare) userdn = > >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > >> """ > >> save it to file and then call > >> > >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >> > >> to add this ACI to cn=users subtree. The ACI then applies to all entries > >> in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" dn: cn=users,cn=accounts,dc=4gjn,dc=com I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. See the following document for a step-by-step guide on how to write ACIs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head): """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient )")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) """ save it to file and then call ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > > Hello Martin and List > > > > Thanks for the answer and Help. > > > > I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D > >>> > >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>> > >>> The IPA Docs have no time stamp to found out, is this actual or old :-(. > >>> > >>> Thanks for a answer, > >> > >> Hi Gunther, > >> > >> that LDIF look ok to me. > >> > >> Do not forget that you must set up the correct ACIs in order for the > >> system account to see the 'mailAlternaleAddress' attribute. > > See the following document for a step-by-step guide on how to write ACIs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht > ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html > > To allow the system account read access to your custom attributes, you > can use LDIF like this (untested, hopefully I got it right from the top > of my head): > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient > )")(version 3.0; acl "Allow system account to read mail address"; > allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) > """ > save it to file and then call > > ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > > to add this ACI to cn=users subtree. The ACI then applies to all entries > in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 17/10/2016 14:56, freeipa-users-requ...@redhat.com wrote: But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint or link to understand this Problem? I found this guide very helpful, specifically for allowing access to a NT password hash attribute for doing wireless authentication. http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html They are doing it the correct way here: by creating a service principal for the RADIUS server, which it uses to get a kerberos ticket and authenticate itself to the directory. But you could also use similar steps to apply those permissions to a regular user. And the related guide if you're interested: http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional LIGA in FreeIPA , and I am not a professional :-(.. I make this, for all LDAP configured Apps ipa group-add systemers --nonposix #group ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0 #forever-passwords ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" --shell=/usr/sbin/nologin --email="" --random #user This user (ldapbind) is only in group systemers But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint or link to understand this Problem? Thanks for a answer and help, Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way to implement a System Account # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. See the following document for a step-by-step guide on how to write ACIs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head): """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;) """ save it to file and then call ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional LIGA in FreeIPA , and I am not a professional :-(.. I make this, for all LDAP configured Apps ipa group-add systemers --nonposix #group ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0 #forever-passwords ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" --shell=/usr/sbin/nologin --email="" --random #user This user (ldapbind) is only in group systemers But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint or link to understand this Problem? Thanks for a answer and help, Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: > On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: > > Hello, > > > > IPA 4.3.1 > > > > I have a big Problem with my LDAP Read User (ldapbind) I like to install > > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin > > for this, but now I cant read this Attributes :-(. > > > > Is this the actual way to implement a System Account > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > > > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > > The IPA Docs have no time stamp to found out, is this actual or old :-(. > > > > Thanks for a answer, > > Hi Gunther, > > that LDIF look ok to me. > > Do not forget that you must set up the correct ACIs in order for the > system account to see the 'mailAlternaleAddress' attribute. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Best and Secure Way for a System Account
On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way to implement a System Account # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Best and Secure Way for a System Account
Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way to implement a System Account # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project