If you want to add special ACIs using the new/updated permission API (ipa
permission-add), I would suggest following procedure:

1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71
2) Add the new permissions you want to add, make them a member of a (new)
3) Create a new role, make the new/updated privileges members of that role
4) Use ldapmodify to make the system account DN member of that role (you just
add a new member attribute value)
5) Profit - you should be now able to control permissions to your system
account with FreeIPA CLI/UI

On step 4 to add the sysaccounts user to the role, I get an error:

# cat sysaccount-LDAPsearch-add-role-2.ldif
dn: cn=A and A,cn=roles,cn=accounts,dc=...
changetype: modify
add: member
member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=...

# ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif
SASL/GSSAPI authentication started
SASL username: admin@...
SASL data security layer installed.
modifying entry "cn=A and A,cn=roles,cn=accounts,dc=..."
ldap_modify: Object class violation (65)

Same thing if I use Directory Manager. I was able to add a normal user to the 
role, using both the GUI and ldapmodify.

# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112

# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)

George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to