Nicola Canepa wrote: > Hello, I'm trying to replicate a subtree of the data from FreeIPA to a > "foreign" LDAP server, by using LSC (http://lsc-project.org). > The replication seems to work correctly, but I was unable to create an > user (maybe even not visible from the web GUI) which could read > userPassword field. > Which ACI/Role/Group should I use for this purpose? > > Thank you for any hint: I did not find such information inside the > documentation.
Depending on the type of bind user you're using you'd need to add your own permission or ACI to grant read on userPassword. I'd tread very carefully here and triple check that the ACI does only what you need and doesn't otherwise leak data, and especially watch those who can assign roles to avoid accidental disclosure. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project