[Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
Alexander Bokovoy
abokovoy at redhat.com
Thu Jan 29 14:47:48 UTC 2015
On Tue, 27 Jan 2015, Raoul Becke wrote:
>Alexander Bokovoy <abokovoy at ...> writes:
>
>>
>> On Wed, 14 Jan 2015, Raoul Becke wrote:
>> >Alexander Bokovoy <abokovoy <at> ...> writes:
>> >
>
>Thank you very much for this detailed instructions. It seems not to be too
>complicated and I think giving it a 2nd try - the only thing that worries me
>a bit is:
>
>>
>> This would work more or less same in 3.0 but you would need to add
>> permissions differently because 3.x doesn't have as easy permission
>> constructing means as 4.0 has.
>>
>
>Is there a document that describes how to do this in:
>Name : ipa-server
>Arch : x86_64
>Version : 3.3.3
>
>Or a document that describes the differences then I can take it from there.
I think the difference would be in unavailability of
'ipa privilege-add-permission' command. You still need to create the
privilege and the role but then create ACI manually referencing the
privilege.
# ipa privilege-add 'CIFS server privilege'
---------------------------------------
Added privilege "CIFS server privilege"
---------------------------------------
Privilege name: CIFS server privilege
# ipa role-add 'CIFS server'
------------------------
Added role "CIFS server"
------------------------
Role name: CIFS server
# ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege'
Role name: CIFS server
Privileges: CIFS server privilege
----------------------------
Number of privileges added 1
----------------------------
And add ACI based on the privilege group DN:
# cat 89-cifs-privilege-aci.update
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash || ipaNTSecurityIdentifier")(version 3.0; acl "CIFS server privilege permission"; allow (read,search,compare) groupdn="ldap:///cn=CIFS server privilege,cn=privileges,cn=pbac,$SUFFIX";)'
# ipa-ldap-updater -l ./89-cifs-privilege-aci.update
Parsing update file './89-cifs-privilege-aci.update'
Updating existing entry: dc=f21,dc=test
Done
The ipa-ldap-updater command was successful
The add:aci line in the .update file shold be that long. Note that
changing ACI as opposed to using permission CLI in FreeIPA 4.x is not
really recommended. You need to understand what are you doing and that
wrong operations may cause slowness or even total malfunctioning of the
LDAP server.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list