On 1/24/19 4:17 PM, Adam Bishop via FreeIPA-users wrote:
I have a piece of software that tries to look up its own uid to check
that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under
cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the
sysaccounts tree (or better, just its own entry)?
Hi Adam,
I did not find any existing permission allowing that. You will need to
either write your own permission, or directly a new ACI in 389-ds.
You need first to find the exact LDAP operations that the software is
doing (for instance a search with base=xx and filter=yy requesting
attributes zz). The attributes used in the filter have to be readable by
the user performing the search, as well as the attributes requested.
If the user is performing a search on its own entry, it is possible to
use the ldap:///self bind rule in the ACI.
Please find more info re. 389-ds Access Control in [1].
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
Many Thanks,
Adam Bishop
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...