[Freeipa-users] ACI for full replica
Rob Crittenden
rcritten at redhat.com
Wed Oct 7 13:51:46 UTC 2015
Nicola Canepa wrote:
> Hello, I'm trying to replicate a subtree of the data from FreeIPA to a
> "foreign" LDAP server, by using LSC (http://lsc-project.org).
> The replication seems to work correctly, but I was unable to create an
> user (maybe even not visible from the web GUI) which could read
> userPassword field.
> Which ACI/Role/Group should I use for this purpose?
>
> Thank you for any hint: I did not find such information inside the
> documentation.
Depending on the type of bind user you're using you'd need to add your
own permission or ACI to grant read on userPassword. I'd tread very
carefully here and triple check that the ACI does only what you need and
doesn't otherwise leak data, and especially watch those who can assign
roles to avoid accidental disclosure.
rob
More information about the Freeipa-users
mailing list