[Freeipa-users] Proper configuration of service accounts
Rob Crittenden
rcritten at redhat.com
Wed May 20 17:58:23 UTC 2015
Boyce, George Robert. (GSFC-762.0)[NICS] wrote:
> <<
>
> If you want to add special ACIs using the new/updated permission API (ipa
>
> permission-add), I would suggest following procedure:
>
> 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71
>
> 2) Add the new permissions you want to add, make them a member of a (new)
>
> privilege.
>
> 3) Create a new role, make the new/updated privileges members of that role
>
> 4) Use ldapmodify to make the system account DN member of that role (you
> just
>
> add a new member attribute value)
>
> 5) Profit - you should be now able to control permissions to your system
>
> account with FreeIPA CLI/UI
>
> >>
>
> On step 4 to add the sysaccounts user to the role, I get an error:
>
> # cat sysaccount-LDAPsearch-add-role-2.ldif
>
> dn: cn=A and A,cn=roles,cn=accounts,dc=…
>
> changetype: modify
>
> add: member
>
> member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=…
>
> # ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif
>
> SASL/GSSAPI authentication started
>
> SASL username: admin at ...
>
> SASL SSF: 56
>
> SASL data security layer installed.
>
> modifying entry "cn=A and A,cn=roles,cn=accounts,dc=…"
>
> ldap_modify: Object class violation (65)
>
> Same thing if I use Directory Manager. I was able to add a normal user
> to the role, using both the GUI and ldapmodify.
Try adding the inetUser objectclass to your system account. You're
probably lacking memberOf.
> # ipa --version
>
> VERSION: 4.1.0, API_VERSION: 2.112
>
> # cat /etc/centos-release
>
> CentOS Linux release 7.1.1503 (Core)
>
> George Boyce, SAIC/NICS
> GCC Systems Support
> NASA GSFC Code 762
I was in Code 500 many moons ago, Center Network Environment (CNE).
rob
More information about the Freeipa-users
mailing list