> On Nov 14, 2023, at 11:41, Christian Heimes via FreeIPA-users > <[email protected]> wrote: > > On 14/11/2023 09.18, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>> I am a bit confused here. What should be an appropriate default_privileges >>>> value so that a system account can read all the entries/attributes below >>>> cn=mailserver,cn=etc? >>> >>> Who should be allowed to access the fields? All principals (users, >>> services, hosts, sys accounts) or a limited subset of principals? >> Any authenticated user. I have this system account >> cn=system,cn=sysaccounts,cn=etc that I use for reading only attributes, That >> entry do’esnt see any entry (besides postfixDomain object classes) under the >> tree we mention. > > If any authenticated principal should be allowed to read the entries, then > you do not need a named permission. The bind rule type "all" creates an ACI > with target "ldap:///all"; (all authenticated users). Easier to maintain and > faster to check.
It didn’t work for me without a named permission. It was not until I created a privilege and added the cn=sysaccounts,cn=etc to it that I got to see the entries on the tree I had created. Thanks, Francis _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
