[Freeipa-users] Best and Secure Way for a System Account
Martin Babinsky
mbabinsk at redhat.com
Mon Oct 17 12:41:01 UTC 2016
On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> Hello Martin and List
>
> Thanks for the answer and Help.
>
> I mean my big Problem is to understand the way to configure a ACI :-(.
>
> I can't found any example or docs to configure this correct :-(.
>
> I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
> professional :-(..
>
> I make this, for all LDAP configured Apps
>
> ipa group-add systemers --nonposix #group
>
> ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0
> #forever-passwords
>
> ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
> --shell=/usr/sbin/nologin --email="" --random #user
>
> This user (ldapbind) is only in group systemers
>
> But now I have to create for this user a ACI to read the uid,
> passwd,mail,mailAlternateAddress...
>
> mailAlternateAddress is in "objectClass mailrecipient"
>
> I mean I must have a ACI like
> access to attribute= ............
>
> Have any a hint or link to understand this Problem?
>
> Thanks for a answer and help,
>
>
> Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
>> On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> IPA 4.3.1
>>>
>>> I have a big Problem with my LDAP Read User (ldapbind) I like to install
>>> dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
>>> for this, but now I cant read this Attributes :-(.
>>>
>>> Is this the actual way to implement a System Account
>>>
>>> # ldapmodify -x -D 'cn=Directory Manager' -W
>>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
>>> changetype: add
>>> objectclass: account
>>> objectclass: simplesecurityobject
>>> uid: system
>>> userPassword: secret123
>>> passwordExpirationTime: 20380119031407Z
>>> nsIdleTimeout: 0
>>> <blank line>
>>> ^D
>>>
>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>>>
>>> The IPA Docs have no time stamp to found out, is this actual or old :-(.
>>>
>>> Thanks for a answer,
>>
>> Hi Gunther,
>>
>> that LDIF look ok to me.
>>
>> Do not forget that you must set up the correct ACIs in order for the
>> system account to see the 'mailAlternaleAddress' attribute.
>
See the following document for a step-by-step guide on how to write ACIs:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):
"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
"""
save it to file and then call
ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list