I need to compare a number stored on CAC with the one in employeenumber in IdM. I have a non-admin bind user for this and other generic LDAP data access for 3rd party needs. But only the Directory Manager can pull that field. Is there a permission setting to allow a system account to access that field? The account was created using the method from redhat solutions 4408441. -- Computers amplify human error Super computers are really cool_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Jim Kinney via FreeIPA-users wrote: > I need to compare a number stored on CAC with the one in employeenumber > in IdM. I have a non-admin bind user for this and other generic LDAP > data access for 3rd party needs. But only the Directory Manager can pull > that field. > > Is there a permission setting to allow a system account to access that > field? The account was created using the method from redhat solutions > 4408441. Any authenticated user can read it per the permission "System: Read User Addressbook Attributes". There is definitely not something specific to the DM. A kinit should allow it as well: ldapsearch -LLLQ -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test employeenumber A bind user works for me. rob