Hi Rob (and others).. Thank you for taking the time to respond..
I tried the suggested solution and it does not seem to allow the google user to modify ipa_pwd_extop Specificly I tried the following: ``` dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncMamagersDNs passSyncManagersDNs: uid=google,cn=users,cn=accounts,dc=XXX,dc=XXX ``` But the service still is not syncing password hashes (I am using Google Cloud Directory Sync, it only reads hashes (from ldap) and compares them to stored hashes, and updates the stored hashes if a new password has been set i ldap, there are no writes from google to ldap), as seen when running GCDS in debug mode (it dosent get userPassword attribute): ``` [2020-09-11 10:32:15,938+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Executing LDAP rule, scope "SUBTREE", filter "memberof=cn=mail,cn=groups,cn=accounts,dc=dsl,dc=lan" [2020-09-11 10:32:15,943+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "uid" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "mail" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "givenName" [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "sn" ``` I have been suggested to try adding permissions via an aci, but am unsure of how to do this.. The following was suggested: `aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts group dn>");)` What would I need to specify as "groupdn"? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
