On 06/16/2016 11:00 AM, Prashant Bapat wrote:
> Hi,
>
> I'm writing a small script which will scan all the users and check if each
> one
> has setup an OTP. It will send out an email to the user if OTP is missing.
>
> I added a new entry /
> uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com/.
> Problem is I'm able to read all the users attributes but not able to read
> anything under /cn=otp,dc=example,dc=com/ tree.
>
> What are the permissions or ACI I need to add to give read-only access to
> this user?
>
> Thanks.
> --Prashant
>
>
>
I would recommend creating read permission for the tree & attribute/objects you
need to allow. Doc is here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html#creating-perms-cli
You cannot apply this permission to system user with API, you would need to use
ldapmodify and add the right membership. But you could create service account
(service-add), create keytab for the authentication and then assign it a role
that has a privilege that has your permission. I hope that makes sense.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
