Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer
Hello,

many, many thanks, this was the Problem ;-)

now I have a
modifying entry "cn=users,cn=accounts,dc=example,dc=com"
:-)))

So now I hope I can configure my dovecot Server and the mailAlternatAddress was 
found!

Thanks again.

Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz:
> On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > Thanks for the answer,
> > 
> > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List,
> >>> 
> >>> Pardon me, but anything is wrong with the ldif i
> > dn: cn=users,cn=accounts,dc=example,dc=com
> > changetype: modify
> > add: aci
> > aci:
> > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie
> > nt)") (version
> > 3.0; acl "Allow system account to read mail address"; allow(read,
> > search, compare) userdn =
> > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> > ""
> > 
> > but what is wrong ?
> 
> the value for the aci attribute spans multiple lines.  In a ldif file a
> continuation line has to start with a space. Try
> 
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien
> t)") (version
>   3.0; acl "Allow system account to read mail address"; allow(read,
>   search, compare) userdn =
>   "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> 
> >>> I have search and read now any Days, but this FreeIPA / LDAP Problem
> >>> have
> >>> a to high level for me :-(.
> >>> 
> >>> Pleas help again..
> >>> 
> >>> Thanks for a answer
> >>> 
> >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
>  On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> > Hello Martin and List
> > 
> > Thanks for the answer and Help.
> > 
> > I mean my big Problem is to understand the way to configure a ACI :-(.
> >>> 
> >>> # ldapmodify -x -D 'cn=Directory Manager' -W
> >>> 
> >>>dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >>>changetype: add
> >>>objectclass: account
> >>>objectclass: simplesecurityobject
> >>>uid: system
> >>>userPassword: secret123
> >>>passwordExpirationTime: 20380119031407Z
> >>>nsIdleTimeout: 0
> >>>
> >>> 
> >>> ^D
> >>> 
> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>> 
> >>> The IPA Docs have no time stamp to found out, is this actual or old
> >>> 
> >>> :-(.
> >>> 
> >>> Thanks for a answer,
> >> 
> >> Hi Gunther,
> >> 
> >> that LDIF look ok to me.
> >> 
> >> Do not forget that you must set up the correct ACIs in order for the
> >> system account to see the 'mailAlternaleAddress' attribute.
>  
>  See the following document for a step-by-step guide on how to write
>  ACIs:
>  
>  https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
>  10
>  /ht
>  ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.
>  h
>  tml
>  
>  To allow the system account read access to your custom attributes, you
>  can use LDIF like this (untested, hopefully I got it right from the top
>  of my head):
>  
>  """
>  dn: cn=users,cn=accounts,dc=example,dc=com
>  changetype: modify
>  add: aci
>  aci:
>  (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci
>  pi
>  ent )")(version 3.0; acl "Allow system account to read mail address";
>  allow(read,
>  search, compare) userdn =
>  "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
>  """
>  save it to file and then call
>  
>  ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
>  
>  to add this ACI to cn=users subtree. The ACI then applies to all
>  entries
>  in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Ludwig Krispenz


On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:

Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"

dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?
the value for the aci attribute spans multiple lines.  In a ldif file a 
continuation line has to start with a space. Try


dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
 (version
 3.0; acl "Allow system account to read mail address"; allow(read,
 search, compare) userdn =
 "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)


  

I have search and read now any Days, but this FreeIPA / LDAP Problem have
a to high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W

   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
   changetype: add
   objectclass: account
   objectclass: simplesecurityobject
   uid: system
   userPassword: secret123
   passwordExpirationTime: 20380119031407Z
   nsIdleTimeout: 0
   

^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old
:-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
tml

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
ent )")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Rich Megginson

On 10/21/2016 08:05 AM, Günther J. Niederwimmer wrote:

Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"

dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?


Sorry, I don't know, I thought it was complaining about the DN line format.


I have search and read now any Days, but this FreeIPA / LDAP Problem have
a to high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W

   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
   changetype: add
   objectclass: account
   objectclass: simplesecurityobject
   uid: system
   userPassword: secret123
   passwordExpirationTime: 20380119031407Z
   nsIdleTimeout: 0
   

^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old
:-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
tml

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
ent )")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer
Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> > Hello Martin and List,
> > 
> > Pardon me, but anything is wrong with the ldif i
> > 
> > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
> > Enter LDAP Password:
> > ldapmodify: invalid format (line 5) entry:
> > "cn=users,cn=accounts,dc=4gjn,dc=com"
> 
> dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
""

but what is wrong ?
 
> > I have search and read now any Days, but this FreeIPA / LDAP Problem have
> > a to high level for me :-(.
> > 
> > Pleas help again..
> > 
> > Thanks for a answer
> > 
> > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List
> >>> 
> >>> Thanks for the answer and Help.
> >>> 
> >>> I mean my big Problem is to understand the way to configure a ACI :-(.
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > 
> >   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >   changetype: add
> >   objectclass: account
> >   objectclass: simplesecurityobject
> >   uid: system
> >   userPassword: secret123
> >   passwordExpirationTime: 20380119031407Z
> >   nsIdleTimeout: 0
> >   
> > 
> > ^D
> > 
> > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> > 
> > The IPA Docs have no time stamp to found out, is this actual or old
> > :-(.
> > 
> > Thanks for a answer,
>  
>  Hi Gunther,
>  
>  that LDIF look ok to me.
>  
>  Do not forget that you must set up the correct ACIs in order for the
>  system account to see the 'mailAlternaleAddress' attribute.
> >> 
> >> See the following document for a step-by-step guide on how to write ACIs:
> >> 
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
> >> /ht
> >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
> >> tml
> >> 
> >> To allow the system account read access to your custom attributes, you
> >> can use LDIF like this (untested, hopefully I got it right from the top
> >> of my head):
> >> 
> >> """
> >> dn: cn=users,cn=accounts,dc=example,dc=com
> >> changetype: modify
> >> add: aci
> >> aci:
> >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
> >> ent )")(version 3.0; acl "Allow system account to read mail address";
> >> allow(read,
> >> search, compare) userdn =
> >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> >> """
> >> save it to file and then call
> >> 
> >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> >> 
> >> to add this ACI to cn=users subtree. The ACI then applies to all entries
> >> in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Rich Megginson

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"


dn: cn=users,cn=accounts,dc=4gjn,dc=com



I have search and read now any Days, but this FreeIPA / LDAP Problem have a to
high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W
  dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
  changetype: add
  objectclass: account
  objectclass: simplesecurityobject
  uid: system
  userPassword: secret123
  passwordExpirationTime: 20380119031407Z
  nsIdleTimeout: 0
  
^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
)")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-21 Thread Günther J . Niederwimmer
Hello Martin and List,

Pardon me, but anything is wrong with the ldif i 

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password: 
ldapmodify: invalid format (line 5) entry: 
"cn=users,cn=accounts,dc=4gjn,dc=com"

I have search and read now any Days, but this FreeIPA / LDAP Problem have a to 
high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> > Hello Martin and List
> > 
> > Thanks for the answer and Help.
> > 
> > I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W
 dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: system
 userPassword: secret123
 passwordExpirationTime: 20380119031407Z
 nsIdleTimeout: 0
 
^D

> >>> 
> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>> 
> >>> The IPA Docs have no time stamp to found out, is this actual or old :-(.
> >>> 
> >>> Thanks for a answer,
> >> 
> >> Hi Gunther,
> >> 
> >> that LDIF look ok to me.
> >> 
> >> Do not forget that you must set up the correct ACIs in order for the
> >> system account to see the 'mailAlternaleAddress' attribute.
> 
> See the following document for a step-by-step guide on how to write ACIs:
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
> 
> To allow the system account read access to your custom attributes, you
> can use LDIF like this (untested, hopefully I got it right from the top
> of my head):
> 
> """
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
> )")(version 3.0; acl "Allow system account to read mail address";
> allow(read,
> search, compare) userdn =
> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)
> """
> save it to file and then call
> 
> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> 
> to add this ACI to cn=users subtree. The ACI then applies to all entries
> in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Brian Candler

On 17/10/2016 14:56, freeipa-users-requ...@redhat.com wrote:

But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?


I found this guide very helpful, specifically for allowing access to a 
NT password hash attribute for doing wireless authentication.


http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html

They are doing it the correct way here: by creating a service principal 
for the RADIUS server, which it uses to get a kerberos ticket and 
authenticate itself to the directory.  But you could also use similar 
steps to apply those permissions to a regular user.


And the related guide if you're interested:

http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html

Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Martin Babinsky

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid,
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?

Thanks for a answer and help,


Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:

On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
for this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,


Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.




See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you 
can use LDIF like this (untested, hopefully I got it right from the top 
of my head):


"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com;;)

"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries 
in the subtree.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Günther J . Niederwimmer
Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a 
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=2 --minclasses=3 --priority=0 
  
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" 
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid, 
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= 

Have any a hint or link to understand this Problem?

Thanks for a answer and help,

 
Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
> On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > IPA 4.3.1
> > 
> > I have a big Problem with my LDAP Read User (ldapbind) I like to install
> > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
> > for this, but now I cant read this Attributes :-(.
> > 
> > Is this the actual way to implement a System Account
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: system
> > userPassword: secret123
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> > 
> > ^D
> > 
> > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> > 
> > The IPA Docs have no time stamp to found out, is this actual or old :-(.
> > 
> > Thanks for a answer,
> 
> Hi Gunther,
> 
> that LDIF look ok to me.
> 
> Do not forget that you must set up the correct ACIs in order for the
> system account to see the 'mailAlternaleAddress' attribute.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-16 Thread Martin Babinsky

On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for
this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,



Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the 
system account to see the 'mailAlternaleAddress' attribute.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] Best and Secure Way for a System Account

2016-10-16 Thread Günther J . Niederwimmer
Hello,

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install 
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for 
this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project