Hello Martin and List, Pardon me, but anything is wrong with the ldif i
ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > > Hello Martin and List > > > > Thanks for the answer and Help. > > > > I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 <blank line> ^D > >>> > >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>> > >>> The IPA Docs have no time stamp to found out, is this actual or old :-(. > >>> > >>> Thanks for a answer, > >> > >> Hi Gunther, > >> > >> that LDIF look ok to me. > >> > >> Do not forget that you must set up the correct ACIs in order for the > >> system account to see the 'mailAlternaleAddress' attribute. > > See the following document for a step-by-step guide on how to write ACIs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht > ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html > > To allow the system account read access to your custom attributes, you > can use LDIF like this (untested, hopefully I got it right from the top > of my head): > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient > )")(version 3.0; acl "Allow system account to read mail address"; > allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) > """ > save it to file and then call > > ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > > to add this ACI to cn=users subtree. The ACI then applies to all entries > in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
