Re: [Freeipa-users] Best and Secure Way for a System Account

Fri, 21 Oct 2016 06:34:23 -0700 

On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:

Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"


dn: cn=users,cn=accounts,dc=4gjn,dc=com



I have search and read now any Days, but this FreeIPA / LDAP Problem have a to
high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:

On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:

Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

# ldapmodify -x -D 'cn=Directory Manager' -W
  dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
  changetype: add
  objectclass: account
  objectclass: simplesecurityobject
  uid: system
  userPassword: secret123
  passwordExpirationTime: 20380119031407Z
  nsIdleTimeout: 0
  <blank line>
^D


https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient
)")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to