Hello, Thanks for the answer,
Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > > Hello Martin and List, > > > > Pardon me, but anything is wrong with the ldif i > > > > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif > > Enter LDAP Password: > > ldapmodify: invalid format (line 5) entry: > > "cn=users,cn=accounts,dc=4gjn,dc=com" > > dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) "" but what is wrong ? > > I have search and read now any Days, but this FreeIPA / LDAP Problem have > > a to high level for me :-(. > > > > Pleas help again.. > > > > Thanks for a answer > > > > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List > >>> > >>> Thanks for the answer and Help. > >>> > >>> I mean my big Problem is to understand the way to configure a ACI :-(. > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > <blank line> > > > > ^D > > > >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>> > >>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>> :-(. > >>>>> > >>>>> Thanks for a answer, > >>>> > >>>> Hi Gunther, > >>>> > >>>> that LDIF look ok to me. > >>>> > >>>> Do not forget that you must set up the correct ACIs in order for the > >>>> system account to see the 'mailAlternaleAddress' attribute. > >> > >> See the following document for a step-by-step guide on how to write ACIs: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 > >> /ht > >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h > >> tml > >> > >> To allow the system account read access to your custom attributes, you > >> can use LDIF like this (untested, hopefully I got it right from the top > >> of my head): > >> > >> """ > >> dn: cn=users,cn=accounts,dc=example,dc=com > >> changetype: modify > >> add: aci > >> aci: > >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi > >> ent )")(version 3.0; acl "Allow system account to read mail address"; > >> allow(read, > >> search, compare) userdn = > >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) > >> """ > >> save it to file and then call > >> > >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >> > >> to add this ACI to cn=users subtree. The ACI then applies to all entries > >> in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
