[Freeipa-users] Best and Secure Way for a System Account

Rich Megginson rmeggins at redhat.com
Fri Oct 21 14:12:11 UTC 2016 

On 10/21/2016 08:05 AM, Günther J. Niederwimmer wrote:
> Hello,
>
> Thanks for the answer,
>
> Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
>> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
>>> Hello Martin and List,
>>>
>>> Pardon me, but anything is wrong with the ldif i
>>>
>>> ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
>>> Enter LDAP Password:
>>> ldapmodify: invalid format (line 5) entry:
>>> "cn=users,cn=accounts,dc=4gjn,dc=com"
>> dn: cn=users,cn=accounts,dc=4gjn,dc=com
> this is in the ldif ?
>
> """
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
> (version
> 3.0; acl "Allow system account to read mail address"; allow(read,
> search, compare) userdn =
> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> ""
>
> but what is wrong ?

Sorry, I don't know, I thought it was complaining about the DN line format.

>>> I have search and read now any Days, but this FreeIPA / LDAP Problem have
>>> a to high level for me :-(.
>>>
>>> Pleas help again..
>>>
>>> Thanks for a answer
>>>
>>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
>>>> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
>>>>> Hello Martin and List
>>>>>
>>>>> Thanks for the answer and Help.
>>>>>
>>>>> I mean my big Problem is to understand the way to configure a ACI :-(.
>>> # ldapmodify -x -D 'cn=Directory Manager' -W
>>>
>>>    dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
>>>    changetype: add
>>>    objectclass: account
>>>    objectclass: simplesecurityobject
>>>    uid: system
>>>    userPassword: secret123
>>>    passwordExpirationTime: 20380119031407Z
>>>    nsIdleTimeout: 0
>>>    <blank line>
>>>
>>> ^D
>>>
>>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>>>>>>>
>>>>>>> The IPA Docs have no time stamp to found out, is this actual or old
>>>>>>> :-(.
>>>>>>>
>>>>>>> Thanks for a answer,
>>>>>> Hi Gunther,
>>>>>>
>>>>>> that LDIF look ok to me.
>>>>>>
>>>>>> Do not forget that you must set up the correct ACIs in order for the
>>>>>> system account to see the 'mailAlternaleAddress' attribute.
>>>> See the following document for a step-by-step guide on how to write ACIs:
>>>>
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
>>>> /ht
>>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
>>>> tml
>>>>
>>>> To allow the system account read access to your custom attributes, you
>>>> can use LDIF like this (untested, hopefully I got it right from the top
>>>> of my head):
>>>>
>>>> """
>>>> dn: cn=users,cn=accounts,dc=example,dc=com
>>>> changetype: modify
>>>> add: aci
>>>> aci:
>>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
>>>> ent )")(version 3.0; acl "Allow system account to read mail address";
>>>> allow(read,
>>>> search, compare) userdn =
>>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
>>>> """
>>>> save it to file and then call
>>>>
>>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
>>>>
>>>> to add this ACI to cn=users subtree. The ACI then applies to all entries
>>>> in the subtree.

More information about the Freeipa-users mailing list