On 1/29/19 12:23 PM, Rob Crittenden wrote:
So what I think you'll have to do is create a separate LDAP system
account, details are in the LDAP howto on freeipa.org.
I stumbled across that sometime in the bleary hours of this morning.
Good to know that I was barking up the right tree.
And you'll need to do a bit of manual work to allow this system account
read access to the membership info. You can do this by using ldapmodify
to add memberof: for the permission (or permissions) you
need to grant it.
For whatever reason, I didn't need to do anything special. It "just
worked" once I created the account.
# ldapsearch -x -D uid=radiusd,cn=sysaccounts,cn=etc,dc=example,dc=com \
-W -b cn=users,cn=accounts,dc=example,dc=com '(uid=test)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (uid=test)
# requesting: ALL
#
# test, users, accounts, example.com
dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=wifi,cn=groups,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20290126192822Z
krbLastPwdChange: 20190129192822Z
displayName: Test User
uid: test
krbCanonicalName: t...@example.com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: TU
gecos: Test User
sn: User
homeDirectory: /home/test
mail: t...@example.com
krbPrincipalName: t...@example.com
givenName: Test
cn: Test User
ipaUniqueID: fde5c420-23fb-11e9-bed0-00224db7a139
uidNumber: 178527
gidNumber: 178527
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
Ian Pilcher arequip...@gmail.com
"I grew up before Mark Zuckerberg invented friendship"
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org