[Freeipa-users] Re: LDAP System User permissions

[Ronald Wimmer via FreeIPA-users]

On 28.08.24 11:25, Ronald Wimmer via FreeIPA-users wrote:

On 20.08.24 17:56, Rob Crittenden wrote:

Ronald Wimmer via FreeIPA-users wrote:

On 14.08.24 10:50, Florence Blanc-Renaud wrote:

Hi,

On Tue, Aug 13, 2024 at 1:15 PM Ronald Wimmer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org <mailto:freeipa-
us...@lists.fedorahosted.org>> wrote:



     On 13.08.24 11:35, Ronald Wimmer via FreeIPA-users wrote:
      >
      >
      > On 13.08.24 11:17, Ronald Wimmer via FreeIPA-users wrote:
      >>
      >>
      >> On 13.08.24 10:20, Ronald Wimmer via FreeIPA-users wrote:
      >>> As I do not now anything about LDAP users and permissions I
would
      >>> like to ask for advice in this matter.
      >>>
      >>> I need an LDAP user that is capable of creating users in the
     staging
      >>> area as well as modifying or deleting existing users.
      >>>
      >>> I am aware of how to create a system user
      >>> (https://www.freeipa.org/page/HowTo/LDAP <https://
     www.freeipa.org/page/HowTo/LDAP> ) but I do not know if there
      >>> is some kind of permission management (apart from putting the
     user in
      >>> cn=sysaccounts and assigning the right objectclasses).
      >>>
      >>

      >> I started reading about ACIs in Directory Server. Maybe I'll just

      >> stick to using "cn=Directory Manager" for this task...
      >

      > This is how I think an ACI should look like in order to allow user

      > creation in the staging area.
      >
      > (targetattr = "*")
      > (target = "ldap:///cn=staged
      > users,cn=accounts,cn=provisioning,dc=linux,dc=mydomain,dc=at")
      > (version 3.0;
      > acl "iam add staging users aci";
      > allow (add)
      > (userdn =
      >
"ldap:///uid=someadminuser,cn=sysaccounts,cn=etc,dc=example,dc=com";)
      > ;)
      >
      > So I would need a separate ACI with "allow (all)" for DN:
      > cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at to allow
     modification of
      > existing users, right?

     Looks like it would be much easier to add a regular IPA user and
assign
     all required permissions, right?


Yes, you can start by reading Managing role-based access controls in
IdM using the CLI <https://docs.redhat.com/en/documentation/
Red_Hat_Enterprise_Linux/9/html/

managing_idm_users_groups_hosts_and_access_control_rules/managing- role- based-access-controls-in-idm-using-the-cli_managing-users- groups-hosts>

and Configuring IdM for external provisioning of users <https://
docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/
managing_idm_users_groups_hosts_and_access_control_rules/configuring-
idm-for-external-provisioning-of-users_managing-users-groups-hosts>.
FreeIPA already provides roles for User Management. If the permissions
are too broad for your use case, you can follow the 2nd link and
tailor it to suit your needs.

Thanks for confirming. Fortunately, I am aware of both links you
provided. We implemented and tested everything on our IPA test instance.
Just need to switch from Directory Manager to a designated user for this
particular scenario.

There currently isn't an API to add sysaccount users to RBAC rules. You
can do it manually by adding their DN to the desired role. That should
trigger the memberof plugin and grant the sysaccount user all the
associated permissions.

Or you can use a standard IPA user which is probably easier overall.

How could I ensure that this particular user's password will never expire?

Does setting maxlife to 0 in a Password Policy work?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue