[Freeipa-users] Best and Secure Way for a System Account
Günther J. Niederwimmer
gjn at gjn.priv.at
Fri Oct 21 19:05:23 UTC 2016
Hello,
many, many thanks, this was the Problem ;-)
now I have a
modifying entry "cn=users,cn=accounts,dc=example,dc=com"
:-)))
So now I hope I can configure my dovecot Server and the mailAlternatAddress was
found!
Thanks again.
Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz:
> On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > Thanks for the answer,
> >
> > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
> >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
> >>> Hello Martin and List,
> >>>
> >>> Pardon me, but anything is wrong with the ldif i
> > dn: cn=users,cn=accounts,dc=example,dc=com
> > changetype: modify
> > add: aci
> > aci:
> > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie
> > nt)") (version
> > 3.0; acl "Allow system account to read mail address"; allow(read,
> > search, compare) userdn =
> > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> > ""
> >
> > but what is wrong ?
>
> the value for the aci attribute spans multiple lines. In a ldif file a
> continuation line has to start with a space. Try
>
> dn: cn=users,cn=accounts,dc=example,dc=com
> changetype: modify
> add: aci
> aci:
> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien
> t)") (version
> 3.0; acl "Allow system account to read mail address"; allow(read,
> search, compare) userdn =
> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
>
> >>> I have search and read now any Days, but this FreeIPA / LDAP Problem
> >>> have
> >>> a to high level for me :-(.
> >>>
> >>> Pleas help again..
> >>>
> >>> Thanks for a answer
> >>>
> >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
> >>>> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
> >>>>> Hello Martin and List
> >>>>>
> >>>>> Thanks for the answer and Help.
> >>>>>
> >>>>> I mean my big Problem is to understand the way to configure a ACI :-(.
> >>>
> >>> # ldapmodify -x -D 'cn=Directory Manager' -W
> >>>
> >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
> >>> changetype: add
> >>> objectclass: account
> >>> objectclass: simplesecurityobject
> >>> uid: system
> >>> userPassword: secret123
> >>> passwordExpirationTime: 20380119031407Z
> >>> nsIdleTimeout: 0
> >>> <blank line>
> >>>
> >>> ^D
> >>>
> >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
> >>>>>>>
> >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old
> >>>>>>>
> >>>>>>> :-(.
> >>>>>>>
> >>>>>>> Thanks for a answer,
> >>>>>>
> >>>>>> Hi Gunther,
> >>>>>>
> >>>>>> that LDIF look ok to me.
> >>>>>>
> >>>>>> Do not forget that you must set up the correct ACIs in order for the
> >>>>>> system account to see the 'mailAlternaleAddress' attribute.
> >>>>
> >>>> See the following document for a step-by-step guide on how to write
> >>>> ACIs:
> >>>>
> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
> >>>> 10
> >>>> /ht
> >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.
> >>>> h
> >>>> tml
> >>>>
> >>>> To allow the system account read access to your custom attributes, you
> >>>> can use LDIF like this (untested, hopefully I got it right from the top
> >>>> of my head):
> >>>>
> >>>> """
> >>>> dn: cn=users,cn=accounts,dc=example,dc=com
> >>>> changetype: modify
> >>>> add: aci
> >>>> aci:
> >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci
> >>>> pi
> >>>> ent )")(version 3.0; acl "Allow system account to read mail address";
> >>>> allow(read,
> >>>> search, compare) userdn =
> >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> >>>> """
> >>>> save it to file and then call
> >>>>
> >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif
> >>>>
> >>>> to add this ACI to cn=users subtree. The ACI then applies to all
> >>>> entries
> >>>> in the subtree.
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list