On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote:
Hello,

Thanks for the answer,

Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson:
On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote:
Hello Martin and List,

Pardon me, but anything is wrong with the ldif i

ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 5) entry:
"cn=users,cn=accounts,dc=4gjn,dc=com"
dn: cn=users,cn=accounts,dc=4gjn,dc=com
this is in the ldif ?

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
(version
3.0; acl "Allow system account to read mail address"; allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
""

but what is wrong ?
the value for the aci attribute spans multiple lines. In a ldif file a continuation line has to start with a space. Try

dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: 
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")
 (version
 3.0; acl "Allow system account to read mail address"; allow(read,
 search, compare) userdn =
 "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)


I have search and read now any Days, but this FreeIPA / LDAP Problem have
a to high level for me :-(.

Pleas help again..

Thanks for a answer

Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky:
On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote:
Hello Martin and List

Thanks for the answer and Help.

I mean my big Problem is to understand the way to configure a ACI :-(.
# ldapmodify -x -D 'cn=Directory Manager' -W

   dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com
   changetype: add
   objectclass: account
   objectclass: simplesecurityobject
   uid: system
   userPassword: secret123
   passwordExpirationTime: 20380119031407Z
   nsIdleTimeout: 0
   <blank line>

^D

https://www.freeipa.org/page/HowTo/LDAP#System_Accounts

The IPA Docs have no time stamp to found out, is this actual or old
:-(.

Thanks for a answer,
Hi Gunther,

that LDIF look ok to me.

Do not forget that you must set up the correct ACIs in order for the
system account to see the 'mailAlternaleAddress' attribute.
See the following document for a step-by-step guide on how to write ACIs:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10
/ht
ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h
tml

To allow the system account read access to your custom attributes, you
can use LDIF like this (untested, hopefully I got it right from the top
of my head):

"""
dn: cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci:
(targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi
ent )")(version 3.0; acl "Allow system account to read mail address";
allow(read,
search, compare) userdn =
"ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";;)
"""
save it to file and then call

ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif

to add this ACI to cn=users subtree. The ACI then applies to all entries
in the subtree.

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to