Hi,
I created a System Account as indicated at https://www.freeipa.org/page/HowTo/LDAP#system-accounts and it works as expected (it is used to perform LDAP bind for authentication in my email application). The problem comes when I try to use it to read additional attributes (required by postfix-ldap) in my users, for example, mailAlternateAddress (it is not able to read the attribute).
As a workaround, I created a "regular" LDAP user and assigned the permissions/roles required and it works, however, I don't think that a dedicated user should be created to perform this task, am I wrong?
Considering the scenario described, I have a couple of questions: 1. Is it possible to grant permissions to a System Account to read those attributes? (I tried to add it to the roles/permissions using memberOf but it didn't allow to add those attributes, I got a permissions error even if I used my admin account to run ldapmodify)
2. What would be the "correct" way to do the configuration? (I mean regular user? other?)
Thanks
On Аўт, 19 сне 2023, RA via FreeIPA-users wrote:
Hi,
I created a System Account as indicated at https://www.freeipa.org/page/HowTo/LDAP#system-accounts and it works as expected (it is used to perform LDAP bind for authentication in my email application). The problem comes when I try to use it to read additional attributes (required by postfix-ldap) in my users, for example, mailAlternateAddress (it is not able to read the attribute).
As a workaround, I created a "regular" LDAP user and assigned the permissions/roles required and it works, however, I don't think that a dedicated user should be created to perform this task, am I wrong?
Considering the scenario described, I have a couple of questions:
- Is it possible to grant permissions to a System Account to read
those attributes? (I tried to add it to the roles/permissions using memberOf but it didn't allow to add those attributes, I got a permissions error even if I used my admin account to run ldapmodify)
- What would be the "correct" way to do the configuration? (I mean
regular user? other?)
What you can do is to create a group, assign role/permission/privilege to that group and manually add your system account to the group as a member. To do so, the system account object should have nsMember objectclass so that memberof plugin could add back a 'memberof: DN-of-a-group' attribute to the system account one.
This way you can manage attributes' access to any system account. The only drawback is that membership would be a manual operation to add/remove using --addattr and --delattr options of `ipa group-mod`.
# ipa group-add sysaccount-members --nonposix -------------------------------- Added group "sysaccount-members" -------------------------------- Group name: sysaccount-members
# ipa group-mod sysaccount-members --addattr member=uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test ----------------------------------- Modified group "sysaccount-members" ----------------------------------- Group name: sysaccount-members
# ipa group-show sysaccount-members --raw --all dn: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test cn: sysaccount-members member: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test ipaUniqueID: a095e746-9f07-11ee-930c-fa163e1382c3 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA1-TEST.socket -b uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sudo, sysaccounts, etc, ipa1.test dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test objectClass: account objectClass: simplesecurityobject objectClass: top objectClass: nsMemberOf uid: sudo userPassword:: some value memberOf: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I am adding the group with --non-posix option to avoid spending IDs for this group as it will only be used in LDAP access controls and does not need to be POSIX one.
freeipa-users@lists.fedorahosted.org