Hi, On Tue, Aug 13, 2024 at 1:15 PM Ronald Wimmer via FreeIPA-users < [email protected]> wrote:
> > > On 13.08.24 11:35, Ronald Wimmer via FreeIPA-users wrote: > > > > > > On 13.08.24 11:17, Ronald Wimmer via FreeIPA-users wrote: > >> > >> > >> On 13.08.24 10:20, Ronald Wimmer via FreeIPA-users wrote: > >>> As I do not now anything about LDAP users and permissions I would > >>> like to ask for advice in this matter. > >>> > >>> I need an LDAP user that is capable of creating users in the staging > >>> area as well as modifying or deleting existing users. > >>> > >>> I am aware of how to create a system user > >>> (https://www.freeipa.org/page/HowTo/LDAP ) but I do not know if there > >>> is some kind of permission management (apart from putting the user in > >>> cn=sysaccounts and assigning the right objectclasses). > >>> > >> > >> I started reading about ACIs in Directory Server. Maybe I'll just > >> stick to using "cn=Directory Manager" for this task... > > > > This is how I think an ACI should look like in order to allow user > > creation in the staging area. > > > > (targetattr = "*") > > (target = "ldap:///cn=staged > > users,cn=accounts,cn=provisioning,dc=linux,dc=mydomain,dc=at") > > (version 3.0; > > acl "iam add staging users aci"; > > allow (add) > > (userdn = > > "ldap:///uid=someadminuser,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > ;) > > > > So I would need a separate ACI with "allow (all)" for DN: > > cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at to allow modification of > > existing users, right? > > Looks like it would be much easier to add a regular IPA user and assign > all required permissions, right? > Yes, you can start by reading Managing role-based access controls in IdM using the CLI <https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-role-based-access-controls-in-idm-using-the-cli_managing-users-groups-hosts> and Configuring IdM for external provisioning of users <https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-idm-for-external-provisioning-of-users_managing-users-groups-hosts> . FreeIPA already provides roles for User Management. If the permissions are too broad for your use case, you can follow the 2nd link and tailor it to suit your needs. HTH, flo -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
