On 1/24/19 4:17 PM, Adam Bishop via FreeIPA-users wrote:

I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.

This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.

Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?

Hi Adam,

I did not find any existing permission allowing that. You will need to either write your own permission, or directly a new ACI in 389-ds.

You need first to find the exact LDAP operations that the software is doing (for instance a search with base=xx and filter=yy requesting attributes zz). The attributes used in the filter have to be readable by the user performing the search, as well as the attributes requested. If the user is performing a search on its own entry, it is possible to use the ldap:///self bind rule in the ACI.

Please find more info re. 389-ds Access Control in [1].

HTH, flo

[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...

Many Thanks,

Adam Bishop _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...