On 03.09.24 17:04, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 20.08.24 17:56, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.08.24 10:50, Florence Blanc-Renaud wrote:
Hi,
On Tue, Aug 13, 2024 at 1:15 PM Ronald Wimmer via FreeIPA-users
<freeipa-users@lists.fedorahosted.org <mailto:freeipa-
us...@lists.fedorahosted.org>> wrote:
On 13.08.24 11:35, Ronald Wimmer via FreeIPA-users wrote:
>
>
> On 13.08.24 11:17, Ronald Wimmer via FreeIPA-users wrote:
>>
>>
>> On 13.08.24 10:20, Ronald Wimmer via FreeIPA-users wrote:
>>> As I do not now anything about LDAP users and permissions I
would
>>> like to ask for advice in this matter.
>>>
>>> I need an LDAP user that is capable of creating users in the
staging
>>> area as well as modifying or deleting existing users.
>>>
>>> I am aware of how to create a system user
>>> (https://www.freeipa.org/page/HowTo/LDAP <https://
www.freeipa.org/page/HowTo/LDAP> ) but I do not know if there
>>> is some kind of permission management (apart from putting the
user in
>>> cn=sysaccounts and assigning the right objectclasses).
>>>
>>
>> I started reading about ACIs in Directory Server. Maybe
I'll just
>> stick to using "cn=Directory Manager" for this task...
>
> This is how I think an ACI should look like in order to
allow user
> creation in the staging area.
>
> (targetattr = "*")
> (target = "ldap:///cn=staged
> users,cn=accounts,cn=provisioning,dc=linux,dc=mydomain,dc=at")
> (version 3.0;
> acl "iam add staging users aci";
> allow (add)
> (userdn =
>
"ldap:///uid=someadminuser,cn=sysaccounts,cn=etc,dc=example,dc=com";)
> ;)
>
> So I would need a separate ACI with "allow (all)" for DN:
> cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at to allow
modification of
> existing users, right?
Looks like it would be much easier to add a regular IPA user and
assign
all required permissions, right?
Yes, you can start by reading Managing role-based access controls in
IdM using the CLI <https://docs.redhat.com/en/documentation/
Red_Hat_Enterprise_Linux/9/html/
managing_idm_users_groups_hosts_and_access_control_rules/managing-role-
based-access-controls-in-idm-using-the-cli_managing-users-groups-hosts>
and Configuring IdM for external provisioning of users <https://
docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/
managing_idm_users_groups_hosts_and_access_control_rules/configuring-
idm-for-external-provisioning-of-users_managing-users-groups-hosts>.
FreeIPA already provides roles for User Management. If the permissions
are too broad for your use case, you can follow the 2nd link and
tailor it to suit your needs.
Thanks for confirming. Fortunately, I am aware of both links you
provided. We implemented and tested everything on our IPA test instance.
Just need to switch from Directory Manager to a designated user for this
particular scenario.
There currently isn't an API to add sysaccount users to RBAC rules. You
can do it manually by adding their DN to the desired role. That should
trigger the memberof plugin and grant the sysaccount user all the
associated permissions.
Or you can use a standard IPA user which is probably easier overall.
When we used IPA in migration mode and Directory Manager to create stage
users we could create IPA users with a password supplied by the external
system. After switching from "Directory Manager" to a dedicated IPA
users the password of newly created IPA users expired immediately.
(which is a no-go for our use case...)
What would be the best way to cope with this situation?
Directory Manager is special and will mask situations like this.
Look into passSyncManagersDNs in the winsync docs. It will allow
passwords to be written without applying password policies and resets.
Works perfectly! Thanks a lot Rob!
The only remaining question is if there is a possibility to prevent that
particular user's password from expiring. Will setting maxlife to 0 work?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
