On 06/16/2016 11:00 AM, Prashant Bapat wrote: > Hi, > > I'm writing a small script which will scan all the users and check if each > one > has setup an OTP. It will send out an email to the user if OTP is missing. > > I added a new entry / > uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com/. > Problem is I'm able to read all the users attributes but not able to read > anything under /cn=otp,dc=example,dc=com/ tree. > > What are the permissions or ACI I need to add to give read-only access to > this user? > > Thanks. > --Prashant > > >
I would recommend creating read permission for the tree & attribute/objects you need to allow. Doc is here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html#creating-perms-cli You cannot apply this permission to system user with API, you would need to use ldapmodify and add the right membership. But you could create service account (service-add), create keytab for the authentication and then assign it a role that has a privilege that has your permission. I hope that makes sense. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project