Ok, it indeed looks like we missed this tree when doing Permission V2
refactoring (ticket https://fedorahosted.org/freeipa/ticket/4521). This is
something we will need to fix in upcoming FreeIPA 4.0.2, so please stay tuned.

In the meantime, you can use the workaround that Rob sent, you would just need
to delete it again when the fix is in, so that the permissions do not step on
each other.

Martin

On 09/02/2014 11:09 PM, Rob Crittenden wrote:
> Chris Whittle wrote:
>> If I do this 
>>
>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>
>> It works fine
> 
> AFAICT there currently isn't a permission for the compat tree. The admin
> user can do it via 'Admin can manage any entry" and of course DM can do
> it because it can do anything.
> 
> A temporary workaround would be to add an aci manually:
> 
> dn: dc=example,dc=com
> changetype: modify
> add: aci
> aci: (targetattr = "*")(target =
> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com";)(version 3.0;acl
> "Read canlogin compat tree";allow (compare,read,search) userdn =
> "ldap:///all";;)
> 
> This won't show up as a permission and will grant all authenticated
> users read access to the canlogin compat tree. I'm assuming here this
> contains entries keyed on uid.
> 
> rob
> 
>>
>> **Mac_Slave is my automation user.
>>
>>
>>
>>
>> On Tue, Sep 2, 2014 at 3:40 PM, Chris Whittle <cwhi...@gmail.com
>> <mailto:cwhi...@gmail.com>> wrote:
>>
>>     For testing I'm using
>>
>>     ldapsearch -LLL -H ldaps://DOMAIN636 -x -D "cn=directory manager" -w
>>     'nachopassword' -b "cn=canlogin,cn=compat,dc=domain,dc=com"
>>
>>     If I do it with directory manager it works fine, if I use my
>>     automation user (just a generic user with no extra permissions) it
>>     returns nothing, no error, just empty space
>>
>>     if I add -v (verbose) i get 
>>
>>     ldap_initialize( ldaps://domain.com:636/??base
>>     <http://domain.com:636/??base> )
>>
>>     filter: (objectclass=*)
>>
>>     requesting: All userApplication attributes
>>
>>
>>     Thanks everyone!
>>
>>
>>     On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden <rcrit...@redhat.com
>>     <mailto:rcrit...@redhat.com>> wrote:
>>
>>         Chris Whittle wrote:
>>         > hmmm...
>>         > Is there not a permission or role in freeIPA that I could give
>>         a group
>>         > or role just to see everything in
>>         > my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com"
>>
>>         Can you provide more details on what you're doing, and how you are
>>         binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com
>>         tree?
>>
>>         AFAICT you should be able to read cn=compat as long as you bind
>>         as a user.
>>
>>         rob
>>
>>         >
>>         >
>>         >
>>         > On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <d...@redhat.com
>>         <mailto:d...@redhat.com>
>>         > <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
>>         >
>>         >     On 09/02/2014 09:34 PM, Chris Whittle wrote:
>>         >>     Ok Dmitri, I got it added using what you sent and the
>>         following links
>>         >>   
>>          
>> https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt
>>         >>     and
>>         >>   
>>          
>> https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html
>>         >>
>>         >>     I think i'm 90% there with the caveat that I can't seem
>>         to see
>>         >>     what permissions I need to give a user to view my NIS "view".
>>         >>      Right now Directory Manager can see it but that is it.
>>         >>
>>         >>     Any ideas?
>>         >>
>>         >     You got me :-)
>>         >     I would defer to specialist in this area to solve this
>>         problem.
>>         >
>>         >
>>         >>
>>         >>
>>         >>     On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle
>>         <cwhi...@gmail.com <mailto:cwhi...@gmail.com>
>>         >>     <mailto:cwhi...@gmail.com <mailto:cwhi...@gmail.com>>> wrote:
>>         >>
>>         >>         Thanks Dimitri, before I get too far this rabbit hole
>>         (cause
>>         >>         it looks a little scary) let me make sure I get it.
>>         >>
>>         >>         So using Slap-NIS I should be able to create a view into
>>         >>         FreeIPA that would show only a subset of user based on
>>         >>         something like a group or an attribute?
>>         >>
>>         >>         Then using the built in MAC Directory Utility (or any
>>         LDAP
>>         >>         client) I should be able to use that Slap-NIS view as a
>>         >>         searchbase and it would return just people I wanted. 
>>         This
>>         >>         could be used keep anyone outside that view from
>>         logging in?
>>         >>
>>         >>         I'm sorry for the noob questions but there isn't a
>>         lot of good
>>         >>         documentation on SlapNIS from first glance and I
>>         don't want to
>>         >>         spend 2 days figuring it out if it's not going to work.
>>         >>
>>         >>         As always extremely appreciated!
>>         >>         Whitt
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>         On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal
>>         <d...@redhat.com <mailto:d...@redhat.com>
>>         >>         <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
>>         >>
>>         >>             On 09/02/2014 03:04 AM, Chris Whittle wrote:
>>         >>>             I am trying to limit who can login to my macs
>>         and I'm
>>         >>>             having to stick to what OSX will let me do.
>>         >>>
>>         >>>             Currently I can only limit users using the
>>         searchbase and
>>         >>>             right now it's
>>         "cn=users,cn=accounts,dc=DOMAIN,dc=com"
>>         >>>
>>         >>>             This works fine unless I wanted to create a user
>>         that I
>>         >>>             wanted in LDAP for other purposes but not to login.
>>         >>>
>>         >>>             So my questions are,
>>         >>>             A)Can we create different OUs in FreeIPA like
>>         most LDAP
>>         >>>             servers?
>>         >>
>>         >>             You can use slapi-nis to create an alternative
>>         view of the
>>         >>             tree or trees and point your special client to
>>         that tree.
>>         >>             There you might be able to expose a small subset
>>         of users
>>         >>             that match your special criteria.
>>         >>             The slapi-nis and compat docs are in the doc
>>         folder in the
>>         >>             corresponding git repo.
>>         >>
>>         >>             IPA uses compat tree for its own purposes but you can
>>         >>             tweak it if you need or create a different view.
>>         >>
>>         >>             HTH
>>         >>
>>         >>
>>         >>
>>         >>>             B)If not anyone have any idea on how I could do
>>         this with
>>         >>>             OSX's directory Utility?
>>         >>>
>>         >>>             Thanks!
>>         >>>
>>         >>>
>>         >>>
>>         >>
>>         >>
>>         >>             --
>>         >>             Thank you,
>>         >>             Dmitri Pal
>>         >>
>>         >>             Sr. Engineering Manager IdM portfolio
>>         >>             Red Hat, Inc.
>>         >>
>>         >>
>>         >>
>>         >
>>         >
>>         >     --
>>         >     Thank you,
>>         >     Dmitri Pal
>>         >
>>         >     Sr. Engineering Manager IdM portfolio
>>         >     Red Hat, Inc.
>>         >
>>         >
>>         >
>>         >
>>
>>
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to