On Tue, 27 Jan 2015, Raoul Becke wrote:
Alexander Bokovoy <abokovoy@...> writes:

On Wed, 14 Jan 2015, Raoul Becke wrote:
>Alexander Bokovoy <abokovoy <at> ...> writes:

Thank you very much for this detailed instructions. It seems not to be too
complicated and I think giving it a 2nd try - the only thing that worries me
a bit is:

This would work more or less same in 3.0 but you would need to add
permissions differently because 3.x doesn't have as easy permission
constructing means as 4.0 has.

Is there a document that describes how to do this in:
Name        : ipa-server
Arch        : x86_64
Version     : 3.3.3

Or a document that describes the differences then I can take it from there.
I think the difference would be in unavailability of 'ipa privilege-add-permission' command. You still need to create the
privilege and the role but then create ACI manually referencing the

# ipa privilege-add 'CIFS server privilege'
Added privilege "CIFS server privilege"
 Privilege name: CIFS server privilege
# ipa role-add 'CIFS server'
Added role "CIFS server"
 Role name: CIFS server
# ipa role-add-privilege 'CIFS server' --privilege='CIFS server privilege'
 Role name: CIFS server
 Privileges: CIFS server privilege
Number of privileges added 1

And add ACI based on the privilege group DN:
# cat 89-cifs-privilege-aci.update dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash || ipaNTSecurityIdentifier")(version 3.0; acl "CIFS server 
privilege permission"; allow (read,search,compare) groupdn="ldap:///cn=CIFS server 

# ipa-ldap-updater -l ./89-cifs-privilege-aci.update Parsing update file './89-cifs-privilege-aci.update'
Updating existing entry: dc=f21,dc=test
The ipa-ldap-updater command was successful

The add:aci line in the .update file shold be that long. Note that
changing ACI as opposed to using permission CLI in FreeIPA 4.x is not
really recommended. You need to understand what are you doing and that
wrong operations may cause slowness or even total malfunctioning of the
LDAP server.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to