[Freeipa-users] Best and Secure Way for a System Account
Brian Candler
b.candler at pobox.com
Mon Oct 17 14:13:50 UTC 2016
On 17/10/2016 14:56, freeipa-users-request at redhat.com wrote:
> But now I have to create for this user a ACI to read the uid,
> passwd,mail,mailAlternateAddress...
>
> mailAlternateAddress is in "objectClass mailrecipient"
>
> I mean I must have a ACI like
> access to attribute= ............
>
> Have any a hint or link to understand this Problem?
I found this guide very helpful, specifically for allowing access to a
NT password hash attribute for doing wireless authentication.
http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
They are doing it the correct way here: by creating a service principal
for the RADIUS server, which it uses to get a kerberos ticket and
authenticate itself to the directory. But you could also use similar
steps to apply those permissions to a regular user.
And the related guide if you're interested:
http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
Regards,
Brian.
More information about the Freeipa-users
mailing list