Boyce, George Robert. (GSFC-762.0)[NICS] wrote:

If you want to add special ACIs using the new/updated permission API (ipa

permission-add), I would suggest following procedure:

1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71

2) Add the new permissions you want to add, make them a member of a (new)


3) Create a new role, make the new/updated privileges members of that role

4) Use ldapmodify to make the system account DN member of that role (you

add a new member attribute value)

5) Profit - you should be now able to control permissions to your system

account with FreeIPA CLI/UI


On step 4 to add the sysaccounts user to the role, I get an error:

# cat sysaccount-LDAPsearch-add-role-2.ldif

dn: cn=A and A,cn=roles,cn=accounts,dc=…

changetype: modify

add: member

member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=…

# ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif

SASL/GSSAPI authentication started

SASL username: admin@...


SASL data security layer installed.

modifying entry "cn=A and A,cn=roles,cn=accounts,dc=…"

ldap_modify: Object class violation (65)

Same thing if I use Directory Manager. I was able to add a normal user
to the role, using both the GUI and ldapmodify.

Try adding the inetUser objectclass to your system account. You're probably lacking memberOf.

# ipa --version

VERSION: 4.1.0, API_VERSION: 2.112

# cat /etc/centos-release

CentOS Linux release 7.1.1503 (Core)

George Boyce, SAIC/NICS
GCC Systems Support
NASA GSFC Code 762

I was in Code 500 many moons ago, Center Network Environment (CNE).


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to