[Freeipa-users] Best and Secure Way for a System Account
Günther J. Niederwimmer
gjn at gjn.priv.at
Fri Oct 21 12:42:49 UTC 2016
Hello Martin and List,
Pardon me, but anything is wrong with the ldif i
ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"
I have search and read now any Days, but this FreeIPA / LDAP Problem have a to
high level for me :-(.
Pleas help again..
Thanks for a answer
Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> > Hello Martin and List
> >
> > Thanks for the answer and Help.
> >
> > I mean my big Problem is to understand the way to configure a ACI :-(.
# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D
> >>>
> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>>
> >>> The IPA Docs have no time stamp to found out, is this actual or old :-(.
> >>>
> >>> Thanks for a answer,
> >>
> >> Hi Gunther,
> >>
> >> that LDIF look ok to me.
> >>
> >> Do not forget that you must set up the correct ACIs in order for the
> >> system account to see the 'mailAlternaleAddress' attribute.
>
> See the following document for a step-by-step guide on how to write ACIs:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
>
> To allow the system account read access to your custom attributes, you
> can use LDIF like this (untested, hopefully I got it right from the top
> of my head):
>
> """
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
> )")(version 3.0; acl "Allow system account to read mail address";
> allow(read,
> search, compare) userdn =
> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> """
> save it to file and then call
>
> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
>
> to add this ACI to cn=users subtree. The ACI then applies to all entries
> in the subtree.
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list