Does anyone have any advice? I have been scouring google, but I have not been able to find any definitive answers :/
Mvh. René Johansen Systemadministrator Christians Brygge 1 1219 København K Tlf: 31625208 Den fre. 11. sep. 2020 kl. 10.47 skrev René Johansen via FreeIPA-users < [email protected]>: > Hi Rob (and others).. > > Thank you for taking the time to respond.. > > I tried the suggested solution and it does not seem to allow the google > user to modify ipa_pwd_extop > > Specificly I tried the following: > > ``` > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncMamagersDNs > passSyncManagersDNs: uid=google,cn=users,cn=accounts,dc=XXX,dc=XXX > ``` > > But the service still is not syncing password hashes (I am using Google > Cloud Directory Sync, it only reads hashes (from ldap) and compares them to > stored hashes, and updates the stored hashes if a new password has been set > i ldap, there are no writes from google to ldap), as seen when running GCDS > in debug mode (it dosent get userPassword attribute): > > ``` > [2020-09-11 10:32:15,938+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Executing LDAP rule, scope "SUBTREE", > filter "memberof=cn=mail,cn=groups,cn=accounts,dc=dsl,dc=lan" > [2020-09-11 10:32:15,943+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "uid" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute > "mail" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute > "givenName" > [2020-09-11 10:32:15,945+0200] [pool-3-thread-24] [DEBUG] > [plugin.ldap.AbstractLdapHandler] Will retrieve notable LDAP attribute "sn" > ``` > > I have been suggested to try adding permissions via an aci, but am unsure > of how to do this.. > The following was suggested: > > `aci: (targetattr = "userPassword") (target = > "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow > password read";allow (read,compare,search)(groupdn = "ldap:///<system > accounts group dn>");)` > > What would I need to specify as "groupdn"? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
