On 1/29/19 12:23 PM, Rob Crittenden wrote:
So what I think you'll have to do is create a separate LDAP system account, details are in the LDAP howto on freeipa.org.
I stumbled across that sometime in the bleary hours of this morning. Good to know that I was barking up the right tree.
And you'll need to do a bit of manual work to allow this system account read access to the membership info. You can do this by using ldapmodify to add memberof: <permission> for the permission (or permissions) you need to grant it.
For whatever reason, I didn't need to do anything special. It "just worked" once I created the account. # ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \ -W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree # filter: (uid=test) # requesting: ALL # # test, users, accounts, example.com dn: uid=test,cn=users,cn=accounts,dc=example,dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20290126192822Z krbLastPwdChange: 20190129192822Z displayName: Test User uid: test krbCanonicalName: t...@example.com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: TU gecos: Test User sn: User homeDirectory: /home/test mail: t...@example.com krbPrincipalName: t...@example.com givenName: Test cn: Test User ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139 uidNumber: 1785200007 gidNumber: 1785200007 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- ======================================================================== Ian Pilcher arequip...@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org