[Freeipa-users] Re: LDAP account for service

Tue, 29 Jan 2019 17:01:24 -0800 

On 1/29/19 12:23 PM, Rob Crittenden wrote:

So what I think you'll have to do is create a separate LDAP system
account, details are in the LDAP howto on freeipa.org.


I stumbled across that sometime in the bleary hours of this morning.
Good to know that I was barking up the right tree.


And you'll need to do a bit of manual work to allow this system account
read access to the membership info. You can do this by using ldapmodify
to add memberof: <permission> for the permission (or permissions) you
need to grant it.


For whatever reason, I didn't need to do anything special.  It "just
worked" once I created the account.

# ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \
    -W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
# filter: (uid=test)
# requesting: ALL
#

# test, users, accounts, example.com
dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20290126192822Z
krbLastPwdChange: 20190129192822Z
displayName: Test User
uid: test
krbCanonicalName: t...@example.com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: TU
gecos: Test User
sn: User
homeDirectory: /home/test
mail: t...@example.com
krbPrincipalName: t...@example.com
givenName: Test
cn: Test User
ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139
uidNumber: 1785200007
gidNumber: 1785200007

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

--
========================================================================
Ian Pilcher                                         arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to