On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.

I can't found any example or docs to configure this correct :-(.

I mean this is a problem for the professional LIGA in FreeIPA , and I am not a
professional :-(..

 I make this, for all LDAP configured Apps

ipa group-add systemers  --nonposix  #group

 ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0

 ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos=""
--shell=/usr/sbin/nologin --email="" --random #user

This user (ldapbind) is only in group systemers

But now I have to create for this user a ACI to read the uid,

mailAlternateAddress is in "objectClass mailrecipient"

I mean I must have a ACI like
access to attribute= ............

Have any a hint or link to understand this Problem?

Thanks for a answer and help,

Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky:
On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote:

IPA 4.3.1

I have a big Problem with my LDAP Read User (ldapbind) I like to install
dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin
for this, but now I cant read this Attributes :-(.

Is this the actual way to implement a System Account

# ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>


The IPA Docs have no time stamp to found out, is this actual or old :-(.

Thanks for a answer,

Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.

See the following document for a step-by-step guide on how to write ACIs:


To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head):

dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree.

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to