On April 20, 2022 11:24:53 AM EDT, Rob Crittenden <rcritten@redhat.com> wrote:

Jim Kinney via FreeIPA-users wrote:
I need to compare a number stored on CAC with the one in employeenumber
in IdM. I have a non-admin bind user for this and other generic LDAP
data access for 3rd party needs. But only the Directory Manager can pull
that field.

Is there a permission setting to allow a system account to access that
field? The account was created using the method from redhat solutions
4408441.

Any authenticated user can read it per the permission "System: Read User
Addressbook Attributes".

There is definitely not something specific to the DM. A kinit should
allow it as well:

ldapsearch -LLLQ -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test
employeenumber

A bind user works for me.

rob