Ronald Wimmer wrote: > On 03.09.24 17:04, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer wrote: >>> On 20.08.24 17:56, Rob Crittenden wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> On 14.08.24 10:50, Florence Blanc-Renaud wrote: >>>>>> Hi, >>>>>> >>>>>> On Tue, Aug 13, 2024 at 1:15 PM Ronald Wimmer via FreeIPA-users >>>>>> <[email protected] <mailto:freeipa- >>>>>> [email protected]>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 13.08.24 11:35, Ronald Wimmer via FreeIPA-users wrote: >>>>>> > >>>>>> > >>>>>> > On 13.08.24 11:17, Ronald Wimmer via FreeIPA-users wrote: >>>>>> >> >>>>>> >> >>>>>> >> On 13.08.24 10:20, Ronald Wimmer via FreeIPA-users wrote: >>>>>> >>> As I do not now anything about LDAP users and >>>>>> permissions I >>>>>> would >>>>>> >>> like to ask for advice in this matter. >>>>>> >>> >>>>>> >>> I need an LDAP user that is capable of creating users >>>>>> in the >>>>>> staging >>>>>> >>> area as well as modifying or deleting existing users. >>>>>> >>> >>>>>> >>> I am aware of how to create a system user >>>>>> >>> (https://www.freeipa.org/page/HowTo/LDAP <https:// >>>>>> www.freeipa.org/page/HowTo/LDAP> ) but I do not know if there >>>>>> >>> is some kind of permission management (apart from >>>>>> putting the >>>>>> user in >>>>>> >>> cn=sysaccounts and assigning the right objectclasses). >>>>>> >>> >>>>>> >> >>>>>> >> I started reading about ACIs in Directory Server. Maybe >>>>>> I'll just >>>>>> >> stick to using "cn=Directory Manager" for this task... >>>>>> > >>>>>> > This is how I think an ACI should look like in order to >>>>>> allow user >>>>>> > creation in the staging area. >>>>>> > >>>>>> > (targetattr = "*") >>>>>> > (target = "ldap:///cn=staged >>>>>> > >>>>>> users,cn=accounts,cn=provisioning,dc=linux,dc=mydomain,dc=at") >>>>>> > (version 3.0; >>>>>> > acl "iam add staging users aci"; >>>>>> > allow (add) >>>>>> > (userdn = >>>>>> > >>>>>> "ldap:///uid=someadminuser,cn=sysaccounts,cn=etc,dc=example,dc=com";) >>>>>> > ;) >>>>>> > >>>>>> > So I would need a separate ACI with "allow (all)" for DN: >>>>>> > cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at to allow >>>>>> modification of >>>>>> > existing users, right? >>>>>> >>>>>> Looks like it would be much easier to add a regular IPA user >>>>>> and >>>>>> assign >>>>>> all required permissions, right? >>>>>> >>>>>> >>>>>> Yes, you can start by reading Managing role-based access controls in >>>>>> IdM using the CLI <https://docs.redhat.com/en/documentation/ >>>>>> Red_Hat_Enterprise_Linux/9/html/ >>>>>> managing_idm_users_groups_hosts_and_access_control_rules/managing-role- >>>>>> >>>>>> based-access-controls-in-idm-using-the-cli_managing-users-groups-hosts> >>>>>> >>>>>> and Configuring IdM for external provisioning of users <https:// >>>>>> docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html/ >>>>>> managing_idm_users_groups_hosts_and_access_control_rules/configuring- >>>>>> idm-for-external-provisioning-of-users_managing-users-groups-hosts>. >>>>>> FreeIPA already provides roles for User Management. If the >>>>>> permissions >>>>>> are too broad for your use case, you can follow the 2nd link and >>>>>> tailor it to suit your needs. >>>>> Thanks for confirming. Fortunately, I am aware of both links you >>>>> provided. We implemented and tested everything on our IPA test >>>>> instance. >>>>> Just need to switch from Directory Manager to a designated user for >>>>> this >>>>> particular scenario. >>>>> >>>> >>>> There currently isn't an API to add sysaccount users to RBAC rules. You >>>> can do it manually by adding their DN to the desired role. That should >>>> trigger the memberof plugin and grant the sysaccount user all the >>>> associated permissions. >>>> >>>> Or you can use a standard IPA user which is probably easier overall. >>> When we used IPA in migration mode and Directory Manager to create stage >>> users we could create IPA users with a password supplied by the external >>> system. After switching from "Directory Manager" to a dedicated IPA >>> users the password of newly created IPA users expired immediately. >>> (which is a no-go for our use case...) >>> >>> What would be the best way to cope with this situation? >> >> Directory Manager is special and will mask situations like this. >> >> Look into passSyncManagersDNs in the winsync docs. It will allow >> passwords to be written without applying password policies and resets. > Works perfectly! Thanks a lot Rob! > > The only remaining question is if there is a possibility to prevent that > particular user's password from expiring. Will setting maxlife to 0 work? >
This is all in the docs. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/pwd-expiration rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
