[Freeipa-users] Re: Need help read attribute plugin

Wed, 18 Dec 2024 00:41:20 -0800 

I found the following in the docs:

https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md

Changes to LDAP storage
By default, POSIX attribute can only be searched by LDAP clients in cn=users,cn=accounts,$basedn and cn=groups,cn=accounts,$basedn subtrees. Since SMB service belongs to cn=services,cn=accounts,$basedn subtree, new ACI has to be added. 

'System: Read POSIX details of the SMB services': {
    'replaces_global_anonymous_aci': True,
    'ipapermbindruletype': 'all',
    'ipapermright': {'read', 'search', 'compare'},
    'ipapermdefaultattr': {
        'objectclass', 'cn', 'uid', 'gecos', 'gidnumber',
        'homedirectory', 'loginshell', 'uidnumber',
        'ipantsecurityidentifier',
    },
}
SMB attributes for users are now accessible for self-modification and also readable by the members of cn=adtrust agents,cn=sysaccounts,cn=etc,$basedn group which contains, among others, service principals of the domain controllers. 


So I have added an aci:

LDIF-File:

dn: cn=accounts,dc=local,dc=mydomain,dc=de
changetype: modify
add: aci
aci: (target="ldap:///cn=users,cn=accounts,dc=local,dc=mydomain,dc=de";)(targetattr="ipantsecurityidentifier") (version 3.0; acl "System: Read POSIX details of the SMB services"; allow (read, search, compare) userdn = "ldap:///all";;) 


Import File:

ldapmodify -x -D "cn=Directory Manager" -W -f aci.ldif

Test Access (successfully):
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=local,dc=mydomain,dc=de" -W -b "cn=users,cn=accounts,dc=local,dc=mydomain,dc=de" "(uid=mmuster)" ipantsecurityidentifier 

Conclusion: Reading the attribute in the script is not possible.

        ipa_sid = entry.get('ipaNTSecurityIdentifier')

Attachment: smime.p7s
Description: Kryptografische S/MIME-Signatur

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to