On Аўт, 19 сне 2023, RA via FreeIPA-users wrote:
Hi,
I created a System Account as indicated at
https://www.freeipa.org/page/HowTo/LDAP#system-accounts and it works as
expected (it is used to perform LDAP bind for authentication in my
email application). The problem comes when I try to use it to read
additional attributes (required by postfix-ldap) in my users, for
example, mailAlternateAddress (it is not able to read the attribute).
As a workaround, I created a "regular" LDAP user and assigned the
permissions/roles required and it works, however, I don't think that a
dedicated user should be created to perform this task, am I wrong?
Considering the scenario described, I have a couple of questions:
1. Is it possible to grant permissions to a System Account to read
those attributes? (I tried to add it to the roles/permissions using
memberOf but it didn't allow to add those attributes, I got a
permissions error even if I used my admin account to run ldapmodify)
2. What would be the "correct" way to do the configuration? (I mean
regular user? other?)
What you can do is to create a group, assign role/permission/privilege
to that group and manually add your system account to the group as a
member. To do so, the system account object should have nsMember
objectclass so that memberof plugin could add back a 'memberof:
DN-of-a-group' attribute to the system account one.
This way you can manage attributes' access to any system account. The
only drawback is that membership would be a manual operation to
add/remove using --addattr and --delattr options of `ipa group-mod`.
# ipa group-add sysaccount-members --nonposix
--------------------------------
Added group "sysaccount-members"
--------------------------------
Group name: sysaccount-members
# ipa group-mod sysaccount-members --addattr
member=uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test
-----------------------------------
Modified group "sysaccount-members"
-----------------------------------
Group name: sysaccount-members
# ipa group-show sysaccount-members --raw --all
dn: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test
cn: sysaccount-members
member: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test
ipaUniqueID: a095e746-9f07-11ee-930c-fa163e1382c3
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
# ldapsearch -Y EXTERNAL -H ldapi://%2Frun%2Fslapd-IPA1-TEST.socket -b
uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# sudo, sysaccounts, etc, ipa1.test
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa1,dc=test
objectClass: account
objectClass: simplesecurityobject
objectClass: top
objectClass: nsMemberOf
uid: sudo
userPassword:: some value
memberOf: cn=sysaccount-members,cn=groups,cn=accounts,dc=ipa1,dc=test
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I am adding the group with --non-posix option to avoid spending IDs for
this group as it will only be used in LDAP access controls and does not
need to be POSIX one.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland