[Freeipa-users] Adding permissions to a service account.
Martin Kosek
mkosek at redhat.com
Wed Aug 13 06:44:27 UTC 2014
On 08/13/2014 02:27 AM, William wrote:
> On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote:
>> William wrote:
>>> Hi,
>>>
>>> I am trying to allow a radius service account the ability to read
>>> ipaNTHash. I carried out the following steps:
>>>
>
>>
>> You can't delegate permissions to a service. See
>> https://fedorahosted.org/freeipa/ticket/3644
>>
>> rob
>
>
> For now, should I just add the service DN as a member of the role to
> enable this?
Rob used a wrong ticket, this is the one:
https://fedorahosted.org/freeipa/ticket/3164
It is currently planned for FreeIPA 4.1. If you are interested in contributing
a patch, please feel free to do so, this would be a simple one :-)
Anyway, to fix your permission delegation problem, check this:
# ipa service-show foo/`hostname` --all --raw | grep "dn:"
dn:
krbprincipalname=foo/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test
# ipa role-show test_role --all --raw | grep "dn:"
dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
# kinit admin
Password for admin at MKOSEK-FEDORA20.TEST:
# ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test
changetype: modify
add: member
member:
krbprincipalname=foo/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test
modifying entry "cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test"
# ipa role-show test_role --all --raw
...
member:
krbprincipalname=foo/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test
...
Then, the role and assigned privileges/permissions should work for this service.
Martin
More information about the Freeipa-users
mailing list