Hello, many, many thanks, this was the Problem ;-)
now I have a modifying entry "cn=users,cn=accounts,dc=example,dc=com" :-))) So now I hope I can configure my dovecot Server and the mailAlternatAddress was found! Thanks again. Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz: > On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote: > > Hello, > > > > Thanks for the answer, > > > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > >> On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: > >>> Hello Martin and List, > >>> > >>> Pardon me, but anything is wrong with the ldif i > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: > > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie > > nt)") (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) > > "" > > > > but what is wrong ? > > the value for the aci attribute spans multiple lines. In a ldif file a > continuation line has to start with a space. Try > > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien > t)") (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) > > >>> I have search and read now any Days, but this FreeIPA / LDAP Problem > >>> have > >>> a to high level for me :-(. > >>> > >>> Pleas help again.. > >>> > >>> Thanks for a answer > >>> > >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >>>> On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: > >>>>> Hello Martin and List > >>>>> > >>>>> Thanks for the answer and Help. > >>>>> > >>>>> I mean my big Problem is to understand the way to configure a ACI :-(. > >>> > >>> # ldapmodify -x -D 'cn=Directory Manager' -W > >>> > >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > >>> changetype: add > >>> objectclass: account > >>> objectclass: simplesecurityobject > >>> uid: system > >>> userPassword: secret123 > >>> passwordExpirationTime: 20380119031407Z > >>> nsIdleTimeout: 0 > >>> <blank line> > >>> > >>> ^D > >>> > >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>>>> > >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>>>> > >>>>>>> :-(. > >>>>>>> > >>>>>>> Thanks for a answer, > >>>>>> > >>>>>> Hi Gunther, > >>>>>> > >>>>>> that LDIF look ok to me. > >>>>>> > >>>>>> Do not forget that you must set up the correct ACIs in order for the > >>>>>> system account to see the 'mailAlternaleAddress' attribute. > >>>> > >>>> See the following document for a step-by-step guide on how to write > >>>> ACIs: > >>>> > >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/ > >>>> 10 > >>>> /ht > >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually. > >>>> h > >>>> tml > >>>> > >>>> To allow the system account read access to your custom attributes, you > >>>> can use LDIF like this (untested, hopefully I got it right from the top > >>>> of my head): > >>>> > >>>> """ > >>>> dn: cn=users,cn=accounts,dc=example,dc=com > >>>> changetype: modify > >>>> add: aci > >>>> aci: > >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci > >>>> pi > >>>> ent )")(version 3.0; acl "Allow system account to read mail address"; > >>>> allow(read, > >>>> search, compare) userdn = > >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;) > >>>> """ > >>>> save it to file and then call > >>>> > >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >>>> > >>>> to add this ACI to cn=users subtree. The ACI then applies to all > >>>> entries > >>>> in the subtree. -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
