Chris Whittle wrote: > If I do this > > ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D > "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword' > -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com" > > It works fine
AFAICT there currently isn't a permission for the compat tree. The admin user can do it via 'Admin can manage any entry" and of course DM can do it because it can do anything. A temporary workaround would be to add an aci manually: dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*")(target = "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com";)(version 3.0;acl "Read canlogin compat tree";allow (compare,read,search) userdn = "ldap:///all";;) This won't show up as a permission and will grant all authenticated users read access to the canlogin compat tree. I'm assuming here this contains entries keyed on uid. rob > > **Mac_Slave is my automation user. > > > > > On Tue, Sep 2, 2014 at 3:40 PM, Chris Whittle <[email protected] > <mailto:[email protected]>> wrote: > > For testing I'm using > > ldapsearch -LLL -H ldaps://DOMAIN636 -x -D "cn=directory manager" -w > 'nachopassword' -b "cn=canlogin,cn=compat,dc=domain,dc=com" > > If I do it with directory manager it works fine, if I use my > automation user (just a generic user with no extra permissions) it > returns nothing, no error, just empty space > > if I add -v (verbose) i get > > ldap_initialize( ldaps://domain.com:636/??base > <http://domain.com:636/??base> ) > > filter: (objectclass=*) > > requesting: All userApplication attributes > > > Thanks everyone! > > > On Tue, Sep 2, 2014 at 3:31 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Chris Whittle wrote: > > hmmm... > > Is there not a permission or role in freeIPA that I could give > a group > > or role just to see everything in > > my CN "cn=canlogin,cn=compat,dc=DOMAIN,dc=com" > > Can you provide more details on what you're doing, and how you are > binding? Can you search the cn=users,cn=compat,dc=DOMAIN,dc=com > tree? > > AFAICT you should be able to read cn=compat as long as you bind > as a user. > > rob > > > > > > > > > On Tue, Sep 2, 2014 at 3:06 PM, Dmitri Pal <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > On 09/02/2014 09:34 PM, Chris Whittle wrote: > >> Ok Dmitri, I got it added using what you sent and the > following links > >> > > https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/sch-getting-started.txt > >> and > >> > > https://www.redhat.com/archives/freeipa-users/2009-August/msg00013.html > >> > >> I think i'm 90% there with the caveat that I can't seem > to see > >> what permissions I need to give a user to view my NIS "view". > >> Right now Directory Manager can see it but that is it. > >> > >> Any ideas? > >> > > You got me :-) > > I would defer to specialist in this area to solve this > problem. > > > > > >> > >> > >> On Tue, Sep 2, 2014 at 9:00 AM, Chris Whittle > <[email protected] <mailto:[email protected]> > >> <mailto:[email protected] <mailto:[email protected]>>> wrote: > >> > >> Thanks Dimitri, before I get too far this rabbit hole > (cause > >> it looks a little scary) let me make sure I get it. > >> > >> So using Slap-NIS I should be able to create a view into > >> FreeIPA that would show only a subset of user based on > >> something like a group or an attribute? > >> > >> Then using the built in MAC Directory Utility (or any > LDAP > >> client) I should be able to use that Slap-NIS view as a > >> searchbase and it would return just people I wanted. > This > >> could be used keep anyone outside that view from > logging in? > >> > >> I'm sorry for the noob questions but there isn't a > lot of good > >> documentation on SlapNIS from first glance and I > don't want to > >> spend 2 days figuring it out if it's not going to work. > >> > >> As always extremely appreciated! > >> Whitt > >> > >> > >> > >> > >> > >> > >> > >> On Tue, Sep 2, 2014 at 3:54 AM, Dmitri Pal > <[email protected] <mailto:[email protected]> > >> <mailto:[email protected] <mailto:[email protected]>>> wrote: > >> > >> On 09/02/2014 03:04 AM, Chris Whittle wrote: > >>> I am trying to limit who can login to my macs > and I'm > >>> having to stick to what OSX will let me do. > >>> > >>> Currently I can only limit users using the > searchbase and > >>> right now it's > "cn=users,cn=accounts,dc=DOMAIN,dc=com" > >>> > >>> This works fine unless I wanted to create a user > that I > >>> wanted in LDAP for other purposes but not to login. > >>> > >>> So my questions are, > >>> A)Can we create different OUs in FreeIPA like > most LDAP > >>> servers? > >> > >> You can use slapi-nis to create an alternative > view of the > >> tree or trees and point your special client to > that tree. > >> There you might be able to expose a small subset > of users > >> that match your special criteria. > >> The slapi-nis and compat docs are in the doc > folder in the > >> corresponding git repo. > >> > >> IPA uses compat tree for its own purposes but you can > >> tweak it if you need or create a different view. > >> > >> HTH > >> > >> > >> > >>> B)If not anyone have any idea on how I could do > this with > >>> OSX's directory Utility? > >>> > >>> Thanks! > >>> > >>> > >>> > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager IdM portfolio > >> Red Hat, Inc. > >> > >> > >> > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
