On Аўт, 19 сне 2023, RA via FreeIPA-users wrote:
Hi,
I created a System Account as indicated at https://www.freeipa.org/page/HowTo/LDAP#system-accounts and it works as expected (it is used to perform LDAP bind for authentication in my email application). The problem comes when I try to use it to read additional attributes (required by postfix-ldap) in my users, for example, mailAlternateAddress (it is not able to read the attribute).
As a workaround, I created a "regular" LDAP user and assigned the permissions/roles required and it works, however, I don't think that a dedicated user should be created to perform this task, am I wrong?
Considering the scenario described, I have a couple of questions:
- Is it possible to grant permissions to a System Account to read
those attributes? (I tried to add it to the roles/permissions using memberOf but it didn't allow to add those attributes, I got a permissions error even if I used my admin account to run ldapmodify)
- What would be the "correct" way to do the configuration? (I mean
regular user? other?)
What you can do is to create a group, assign role/permission/privilege to that group and manually add your system account to the group as a member. To do so, the system account object should have nsMember objectclass so that memberof plugin could add back a 'memberof: DN-of-a-group' attribute to the system account one.
This way you can manage attributes' access to any system account. The only drawback is that membership would be a manual operation to add/remove using --addattr and --delattr options of `ipa group-mod`.
# ipa group-add sysaccount-members --nonposix -------------------------------- Added group "sysaccount-members" -------------------------------- Group name: sysaccount-members
# ipa group-mod sysaccount-members --addattr member=uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test ----------------------------------- Modified group "sysaccount-members" ----------------------------------- Group name: sysaccount-members
# ipa group-show sysaccount-members --raw --all dn: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test cn: sysaccount-members member: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test ipaUniqueID: a095e746-9f07-11ee-930c-fa163e1382c3 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA1-TEST.socket -b uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sudo, sysaccounts, etc, ipa1.test dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test objectClass: account objectClass: simplesecurityobject objectClass: top objectClass: nsMemberOf uid: sudo userPassword:: some value memberOf: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am adding the group with --non-posix option to avoid spending IDs for this group as it will only be used in LDAP access controls and does not need to be POSIX one.