[Freeipa-users] Best and Secure Way for a System Account

Günther J. Niederwimmer gjn at gjn.priv.at
Fri Oct 21 14:05:42 UTC 2016 

Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> > Hello Martin and List,
> > 
> > Pardon me, but anything is wrong with the ldif i
> > 
> > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
> > Enter LDAP Password:
> > ldapmodify: invalid format (line 5) entry:
> > "cn=users,cn=accounts,dc=4gjn,dc=com"
> 
> dn: cn=users,cn=accounts,dc=4gjn,dc=com

this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version 
3.0; acl "Allow system account to read mail address"; allow(read, 
search, compare) userdn = 
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
""

but what is wrong ?
 
> > I have search and read now any Days, but this FreeIPA / LDAP Problem have
> > a to high level for me :-(.
> > 
> > Pleas help again..
> > 
> > Thanks for a answer
> > 
> > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List
> >>> 
> >>> Thanks for the answer and Help.
> >>> 
> >>> I mean my big Problem is to understand the way to configure a ACI :-(.
> > 
> > # ldapmodify -x -D 'cn=Directory Manager' -W
> > 
> >   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >   changetype: add
> >   objectclass: account
> >   objectclass: simplesecurityobject
> >   uid: system
> >   userPassword: secret123
> >   passwordExpirationTime: 20380119031407Z
> >   nsIdleTimeout: 0
> >   <blank line>
> > 
> > ^D
> > 
> >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>>>> 
> >>>>> The IPA Docs have no time stamp to found out, is this actual or old
> >>>>> :-(.
> >>>>> 
> >>>>> Thanks for a answer,
> >>>> 
> >>>> Hi Gunther,
> >>>> 
> >>>> that LDIF look ok to me.
> >>>> 
> >>>> Do not forget that you must set up the correct ACIs in order for the
> >>>> system account to see the 'mailAlternaleAddress' attribute.
> >> 
> >> See the following document for a step-by-step guide on how to write ACIs:
> >> 
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
> >> /ht
> >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
> >> tml
> >> 
> >> To allow the system account read access to your custom attributes, you
> >> can use LDIF like this (untested, hopefully I got it right from the top
> >> of my head):
> >> 
> >> """
> >> dn: cn=users,cn=accounts,dc=example,dc=com
> >> changetype: modify
> >> add: aci
> >> aci:
> >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
> >> ent )")(version 3.0; acl "Allow system account to read mail address";
> >> allow(read,
> >> search, compare) userdn =
> >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> >> """
> >> save it to file and then call
> >> 
> >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> >> 
> >> to add this ACI to cn=users subtree. The ACI then applies to all entries
> >> in the subtree.

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list