On 06/16/2016 11:00 AM, Prashant Bapat wrote:
> Hi,
> I'm writing a small script which will scan all the users and check if each 
> one 
> has setup an OTP. It will send out an email to the user if OTP is missing.
> I added a new entry / 
> uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com/. 
> Problem is I'm able to read all the users attributes but not able to read 
> anything under /cn=otp,dc=example,dc=com/ tree.
> What are the permissions or ACI I need to add to give read-only access to 
> this user?
> Thanks.
> --Prashant

I would recommend creating read permission for the tree & attribute/objects you
need to allow. Doc is here:


You cannot apply this permission to system user with API, you would need to use
ldapmodify and add the right membership. But you could create service account
(service-add), create keytab for the authentication and then assign it a role
that has a privilege that has your permission. I hope that makes sense.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to