Boyce, George Robert. (GSFC-762.0)[NICS] wrote:
If you want to add special ACIs using the new/updated permission API (ipa
permission-add), I would suggest following procedure:
1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71
2) Add the new permissions you want to add, make them a member of a (new)
3) Create a new role, make the new/updated privileges members of that role
4) Use ldapmodify to make the system account DN member of that role (you
add a new member attribute value)
5) Profit - you should be now able to control permissions to your system
account with FreeIPA CLI/UI
On step 4 to add the sysaccounts user to the role, I get an error:
# cat sysaccount-LDAPsearch-add-role-2.ldif
dn: cn=A and A,cn=roles,cn=accounts,dc=…
# ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif
SASL/GSSAPI authentication started
SASL username: admin@...
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=A and A,cn=roles,cn=accounts,dc=…"
ldap_modify: Object class violation (65)
Same thing if I use Directory Manager. I was able to add a normal user
to the role, using both the GUI and ldapmodify.
Try adding the inetUser objectclass to your system account. You're
probably lacking memberOf.
# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112
# cat /etc/centos-release
CentOS Linux release 7.1.1503 (Core)
George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762
I was in Code 500 many moons ago, Center Network Environment (CNE).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project