[Freeipa-users] Re: Allow sysaccount to view its own entry

Thu, 09 Nov 2023 09:02:08 -0800 

John Phillip Apple II via FreeIPA-users wrote:
> In case anyone was ever looking this up (as I have recently), I managed to 
> figure out a sysaccounts bind entry access as per above using the following 
> LDIF (assuming you don't want the sysaccount reading things like userPassword 
> or other secrets):
> 
> Replace $SUFFIX with your domain config (i.e. "dc=site,dc=example,dc=com")
> Replace $MYSERVICEACCOUNT with your account's uid
> 
> 
> "MYSERVICEACCOUNT_ACI.ldif"
> ------
> dn: cn=sysaccounts,cn=etc,$SUFFIX
> changetype: modify
> add: aci
> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || 
> sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || 
> krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || 
> krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || 
> enrolledBy || ipaNTHash || ipaProtectedOperation") (version 3.0; acl "allow 
> (compare,read,search) of sysaccounts by $MYSERVICEACCOUNT"; 
> allow(search,read,compare) userdn = 
> "ldap:///uid=$MYSERVICEACCOUNT,cn=sysaccounts,cn=etc,$SUFFIX";;)
> ------
> 
> 
> Apply with ldapmodify:
> ------
> ldapmodify -x -D "cn=Directory Manager" -W -h `hostname` -f 
> MYSERVICEACCOUNT_ACI.ldif
> ------

I think rather than listing the attributes that are not allowed I'd list
the attributes that are. Something like (untested):

aci: (targetfilter = "(objectClass=account)")(targetattrs = "objectclass
|| uid || passwordExpirationTime")(version 3.0; acl "Read
$MYSERVICEACCOUNT sysaccount"; allow (read, search, compare) userdn =
ldap:///uid=$MYSERVICEACCOUNT,cn=sysaccounts,cn=etc,$SUFFIX;)

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to