Ronald Wimmer wrote: > On 20.08.24 17:56, Rob Crittenden wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> On 14.08.24 10:50, Florence Blanc-Renaud wrote: >>>> Hi, >>>> >>>> On Tue, Aug 13, 2024 at 1:15 PM Ronald Wimmer via FreeIPA-users >>>> <[email protected] <mailto:freeipa- >>>> [email protected]>> wrote: >>>> >>>> >>>> >>>> On 13.08.24 11:35, Ronald Wimmer via FreeIPA-users wrote: >>>> > >>>> > >>>> > On 13.08.24 11:17, Ronald Wimmer via FreeIPA-users wrote: >>>> >> >>>> >> >>>> >> On 13.08.24 10:20, Ronald Wimmer via FreeIPA-users wrote: >>>> >>> As I do not now anything about LDAP users and permissions I >>>> would >>>> >>> like to ask for advice in this matter. >>>> >>> >>>> >>> I need an LDAP user that is capable of creating users in the >>>> staging >>>> >>> area as well as modifying or deleting existing users. >>>> >>> >>>> >>> I am aware of how to create a system user >>>> >>> (https://www.freeipa.org/page/HowTo/LDAP <https:// >>>> www.freeipa.org/page/HowTo/LDAP> ) but I do not know if there >>>> >>> is some kind of permission management (apart from putting the >>>> user in >>>> >>> cn=sysaccounts and assigning the right objectclasses). >>>> >>> >>>> >> >>>> >> I started reading about ACIs in Directory Server. Maybe >>>> I'll just >>>> >> stick to using "cn=Directory Manager" for this task... >>>> > >>>> > This is how I think an ACI should look like in order to >>>> allow user >>>> > creation in the staging area. >>>> > >>>> > (targetattr = "*") >>>> > (target = "ldap:///cn=staged >>>> > users,cn=accounts,cn=provisioning,dc=linux,dc=mydomain,dc=at") >>>> > (version 3.0; >>>> > acl "iam add staging users aci"; >>>> > allow (add) >>>> > (userdn = >>>> > >>>> "ldap:///uid=someadminuser,cn=sysaccounts,cn=etc,dc=example,dc=com";) >>>> > ;) >>>> > >>>> > So I would need a separate ACI with "allow (all)" for DN: >>>> > cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at to allow >>>> modification of >>>> > existing users, right? >>>> >>>> Looks like it would be much easier to add a regular IPA user and >>>> assign >>>> all required permissions, right? >>>> >>>> >>>> Yes, you can start by reading Managing role-based access controls in >>>> IdM using the CLI <https://docs.redhat.com/en/documentation/ >>>> Red_Hat_Enterprise_Linux/9/html/ >>>> managing_idm_users_groups_hosts_and_access_control_rules/managing-role- >>>> based-access-controls-in-idm-using-the-cli_managing-users-groups-hosts> >>>> and Configuring IdM for external provisioning of users <https:// >>>> docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/ >>>> managing_idm_users_groups_hosts_and_access_control_rules/configuring- >>>> idm-for-external-provisioning-of-users_managing-users-groups-hosts>. >>>> FreeIPA already provides roles for User Management. If the permissions >>>> are too broad for your use case, you can follow the 2nd link and >>>> tailor it to suit your needs. >>> Thanks for confirming. Fortunately, I am aware of both links you >>> provided. We implemented and tested everything on our IPA test instance. >>> Just need to switch from Directory Manager to a designated user for this >>> particular scenario. >>> >> >> There currently isn't an API to add sysaccount users to RBAC rules. You >> can do it manually by adding their DN to the desired role. That should >> trigger the memberof plugin and grant the sysaccount user all the >> associated permissions. >> >> Or you can use a standard IPA user which is probably easier overall. > When we used IPA in migration mode and Directory Manager to create stage > users we could create IPA users with a password supplied by the external > system. After switching from "Directory Manager" to a dedicated IPA > users the password of newly created IPA users expired immediately. > (which is a no-go for our use case...) > > What would be the best way to cope with this situation?
Directory Manager is special and will mask situations like this. Look into passSyncManagersDNs in the winsync docs. It will allow passwords to be written without applying password policies and resets. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
