On 03/15/2016 04:28 AM, Prashant Bapat wrote: > Anyone? > > On 11 March 2016 at 22:12, Prashant Bapat <prash...@apigee.com > <mailto:prash...@apigee.com>> wrote: > > Hi, > > I'm trying to use IPA's LDAP server as the user data base for an external > application. > > I have created a service account from ldif below. > > > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: changeme! > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > > This works fine. My question is whats the ACI associated with this new > user? > Does this user have read-only access to everything in LDAP ? Or should I > add/tune the ACI.
This system user can now access all LDAP data that are allowed for authenticated users. It should not have permission to actually write something unless you allow any user write something. You can see the FreeIPA system read permissions [1] to see what authenticated users are allowed to read. At minimum, they can read more information about users, group member and others: # ipa permission-find --bindtype=all | grep "Permission name" Permission name: System: Read AD Domains Permission name: System: Read CA ACLs Permission name: System: Read CA Renewal Information Permission name: System: Read Certificate Profiles Permission name: System: Read DNA Configuration Permission name: System: Read Domain Level Permission name: System: Read Global Configuration Permission name: System: Read Group ID Overrides Permission name: System: Read Group Membership Permission name: System: Read HBAC Rules Permission name: System: Read HBAC Service Groups Permission name: System: Read HBAC Services Permission name: System: Read Host Membership Permission name: System: Read Hostgroup Membership Permission name: System: Read Hostgroups Permission name: System: Read Hosts Permission name: System: Read ID Ranges Permission name: System: Read ID Views Permission name: System: Read Netgroup Membership Permission name: System: Read Netgroups Permission name: System: Read OTP Configuration Permission name: System: Read Realm Domains Permission name: System: Read Replication Information Permission name: System: Read SELinux User Maps Permission name: System: Read Services Permission name: System: Read Sudo Command Groups Permission name: System: Read Sudo Commands Permission name: System: Read Sudo Rules Permission name: System: Read Trust Information Permission name: System: Read User Addressbook Attributes Permission name: System: Read User ID Overrides Permission name: System: Read User IPA Attributes Permission name: System: Read User Kerberos Attributes Permission name: System: Read User Membership Martin [1] http://www.freeipa.org/page/V4/Managed_Read_permissions -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project