[Freeipa-users] Best and Secure Way for a System Account
Rich Megginson
rmeggins at redhat.com
Fri Oct 21 13:11:58 UTC 2016
On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> Hello Martin and List,
>
> Pardon me, but anything is wrong with the ldif i
>
> ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
> Enter LDAP Password:
> ldapmodify: invalid format (line 5) entry:
> "cn=users,cn=accounts,dc=4gjn,dc=com"
dn: cn=users,cn=accounts,dc=4gjn,dc=com
>
> I have search and read now any Days, but this FreeIPA / LDAP Problem have a to
> high level for me :-(.
>
> Pleas help again..
>
> Thanks for a answer
>
> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
>> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
>>> Hello Martin and List
>>>
>>> Thanks for the answer and Help.
>>>
>>> I mean my big Problem is to understand the way to configure a ACI :-(.
> # ldapmodify -x -D 'cn=Directory Manager' -W
> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: system
> userPassword: secret123
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
> <blank line>
> ^D
>
>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>>>>>
>>>>> The IPA Docs have no time stamp to found out, is this actual or old :-(.
>>>>>
>>>>> Thanks for a answer,
>>>> Hi Gunther,
>>>>
>>>> that LDIF look ok to me.
>>>>
>>>> Do not forget that you must set up the correct ACIs in order for the
>>>> system account to see the 'mailAlternaleAddress' attribute.
>> See the following document for a step-by-step guide on how to write ACIs:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html
>>
>> To allow the system account read access to your custom attributes, you
>> can use LDIF like this (untested, hopefully I got it right from the top
>> of my head):
>>
>> """
>> dn: cn=users,cn=accounts,dc=example,dc=com
>> changetype: modify
>> add: aci
>> aci:
>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
>> )")(version 3.0; acl "Allow system account to read mail address";
>> allow(read,
>> search, compare) userdn =
>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
>> """
>> save it to file and then call
>>
>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
>>
>> to add this ACI to cn=users subtree. The ACI then applies to all entries
>> in the subtree.
More information about the Freeipa-users
mailing list