I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
On 1/24/19 4:17 PM, Adam Bishop via FreeIPA-users wrote:
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Hi Adam,
I did not find any existing permission allowing that. You will need to either write your own permission, or directly a new ACI in 389-ds.
You need first to find the exact LDAP operations that the software is doing (for instance a search with base=xx and filter=yy requesting attributes zz). The attributes used in the filter have to be readable by the user performing the search, as well as the attributes requested. If the user is performing a search on its own entry, it is possible to use the ldap:///self bind rule in the ACI.
Please find more info re. 389-ds Access Control in [1].
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
Many Thanks,
Adam Bishop _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org