Great! Thanks Martin. On 16 March 2016 at 19:07, Martin Kosek <mko...@redhat.com> wrote:
> On 03/15/2016 04:28 AM, Prashant Bapat wrote: > > Anyone? > > > > On 11 March 2016 at 22:12, Prashant Bapat <prash...@apigee.com > > <mailto:prash...@apigee.com>> wrote: > > > > Hi, > > > > I'm trying to use IPA's LDAP server as the user data base for an > external > > application. > > > > I have created a service account from ldif below. > > > > > > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: changeme! > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > > > This works fine. My question is whats the ACI associated with this > new user? > > Does this user have read-only access to everything in LDAP ? Or > should I > > add/tune the ACI. > > This system user can now access all LDAP data that are allowed for > authenticated users. It should not have permission to actually write > something > unless you allow any user write something. > > You can see the FreeIPA system read permissions [1] to see what > authenticated > users are allowed to read. At minimum, they can read more information about > users, group member and others: > > # ipa permission-find --bindtype=all | grep "Permission name" > Permission name: System: Read AD Domains > Permission name: System: Read CA ACLs > Permission name: System: Read CA Renewal Information > Permission name: System: Read Certificate Profiles > Permission name: System: Read DNA Configuration > Permission name: System: Read Domain Level > Permission name: System: Read Global Configuration > Permission name: System: Read Group ID Overrides > Permission name: System: Read Group Membership > Permission name: System: Read HBAC Rules > Permission name: System: Read HBAC Service Groups > Permission name: System: Read HBAC Services > Permission name: System: Read Host Membership > Permission name: System: Read Hostgroup Membership > Permission name: System: Read Hostgroups > Permission name: System: Read Hosts > Permission name: System: Read ID Ranges > Permission name: System: Read ID Views > Permission name: System: Read Netgroup Membership > Permission name: System: Read Netgroups > Permission name: System: Read OTP Configuration > Permission name: System: Read Realm Domains > Permission name: System: Read Replication Information > Permission name: System: Read SELinux User Maps > Permission name: System: Read Services > Permission name: System: Read Sudo Command Groups > Permission name: System: Read Sudo Commands > Permission name: System: Read Sudo Rules > Permission name: System: Read Trust Information > Permission name: System: Read User Addressbook Attributes > Permission name: System: Read User ID Overrides > Permission name: System: Read User IPA Attributes > Permission name: System: Read User Kerberos Attributes > Permission name: System: Read User Membership > > Martin > > [1] http://www.freeipa.org/page/V4/Managed_Read_permissions >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project