Hi Rob, Thanks for the reply. This is what I have done so far.
1. Installed my custom container - cn=Multicast,dc=example,dc=com 2. Created a group called x500 - cn=x500,cn=groups,cn=accounts,dc=example,dc=com 3. Added my account "tony" into the x500 group 4. Created a x500 role 5. Created a x500 privilege 6. Created an IPA Permission - permission box checked, grants all access (all, write, delete, read, etc), subtree is cn=Multicast,dc=example,dc=com, memberOf has x500 group. 7. Assigned the permission to the x500 privilege, and assigned the privilege to x500 role. 8. Using Jxplorer (LDAP browser) and logged in using "uid=tony,cn=users,cn=accounts,dc=example,dc=com" 9. Try adding/deleting entries under cn=Multicast,dc=example,dc=com and get "Insufficient Access" 10. If I associate my account "tony" with the "admins" group, I will be able to add/delete/write. I also would like to assign anonymous read/search/compare access to cn=Multicast,dc=example,dc=com nonetheless, it works if I add the ACIs manually: ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Multicast,dc=example,dc=com changetype: modify add: aci aci: (targetattr=*) (version 3.0; acl "Allow anonymous search"; allow (read,search,compare) userdn= "ldap:///anyone";;) What am I missing here? Thanks!!! --Tony On Mon, Aug 14, 2023 at 10:39 AM Rob Crittenden <[email protected]> wrote: > Super Tony via FreeIPA-users wrote: > > Hi, > > > > I have an IPA server running on RHEL 8.8. I added a subtree on top of my > domain - cn=Multicast,dc=example,dc=com, and I need to be able to query > anonymously for things that live underneath cn=Multicast, and give users > that belong to cn=x500,cn=groups,cn=accounts,dc=example,dc=com write access. > > > > I am able to add ACI the traditional way against dn: > cn=Multicast,dc=example,dc=com and make anonymous search plus write access > work if I add it via ldapadd, however, I am unable to make it work the way > I want it if I add the ACI via IPA Permissions from the IPA admin GUI. > > > > What am I missing here? > > It's impossible to say without seeing what you've done. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
