[Freeipa-users] Best and Secure Way for a System Account

Günther J. Niederwimmer gjn at gjn.priv.at
Mon Oct 17 12:25:31 UTC 2016 

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a 
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0                       
#forever-passwords

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" 
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid, 
passwd,mail,mailAlternateAddress...

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= ............

Have any a hint or link to understand this Problem?

Thanks for a answer and help,

 
Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
> On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > IPA 4.3.1
> > 
> > I have a big Problem with my LDAP Read User (ldapbind) I like to install
> > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
> > for this, but now I cant read this Attributes :-(.
> > 
> > Is this the actual way to implement a System Account
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: system
> > userPassword: secret123
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> > <blank line>
> > ^D
> > 
> > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> > 
> > The IPA Docs have no time stamp to found out, is this actual or old :-(.
> > 
> > Thanks for a answer,
> 
> Hi Gunther,
> 
> that LDIF look ok to me.
> 
> Do not forget that you must set up the correct ACIs in order for the
> system account to see the 'mailAlternaleAddress' attribute.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list