[Freeipa-users] Best and Secure Way for a System Account
Günther J. Niederwimmer
gjn at gjn.priv.at
Fri Oct 21 14:05:42 UTC 2016
Hello,
Thanks for the answer,
Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> > Hello Martin and List,
> >
> > Pardon me, but anything is wrong with the ldif i
> >
> > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
> > Enter LDAP Password:
> > ldapmodify: invalid format (line 5) entry:
> > "cn=users,cn=accounts,dc=4gjn,dc=com"
>
> dn: cn=users,cn=accounts,dc=4gjn,dc=com
this is in the ldif ?
"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
""
but what is wrong ?
> > I have search and read now any Days, but this FreeIPA / LDAP Problem have
> > a to high level for me :-(.
> >
> > Pleas help again..
> >
> > Thanks for a answer
> >
> > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List
> >>>
> >>> Thanks for the answer and Help.
> >>>
> >>> I mean my big Problem is to understand the way to configure a ACI :-(.
> >
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> >
> > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: system
> > userPassword: secret123
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> > <blank line>
> >
> > ^D
> >
> >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>>>>
> >>>>> The IPA Docs have no time stamp to found out, is this actual or old
> >>>>> :-(.
> >>>>>
> >>>>> Thanks for a answer,
> >>>>
> >>>> Hi Gunther,
> >>>>
> >>>> that LDIF look ok to me.
> >>>>
> >>>> Do not forget that you must set up the correct ACIs in order for the
> >>>> system account to see the 'mailAlternaleAddress' attribute.
> >>
> >> See the following document for a step-by-step guide on how to write ACIs:
> >>
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
> >> /ht
> >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
> >> tml
> >>
> >> To allow the system account read access to your custom attributes, you
> >> can use LDIF like this (untested, hopefully I got it right from the top
> >> of my head):
> >>
> >> """
> >> dn: cn=users,cn=accounts,dc=example,dc=com
> >> changetype: modify
> >> add: aci
> >> aci:
> >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
> >> ent )")(version 3.0; acl "Allow system account to read mail address";
> >> allow(read,
> >> search, compare) userdn =
> >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> >> """
> >> save it to file and then call
> >>
> >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> >>
> >> to add this ACI to cn=users subtree. The ACI then applies to all entries
> >> in the subtree.
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list