<< If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure:
1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new role, make the new/updated privileges members of that role 4) Use ldapmodify to make the system account DN member of that role (you just add a new member attribute value) 5) Profit - you should be now able to control permissions to your system account with FreeIPA CLI/UI >> On step 4 to add the sysaccounts user to the role, I get an error: # cat sysaccount-LDAPsearch-add-role-2.ldif dn: cn=A and A,cn=roles,cn=accounts,dc=... changetype: modify add: member member: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=... # ldapmodify -Y GSSAPI -f sysaccount-LDAPsearch-add-role-2.ldif SASL/GSSAPI authentication started SASL username: admin@... SASL SSF: 56 SASL data security layer installed. modifying entry "cn=A and A,cn=roles,cn=accounts,dc=..." ldap_modify: Object class violation (65) Same thing if I use Directory Manager. I was able to add a normal user to the role, using both the GUI and ldapmodify. # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/centos-release CentOS Linux release 7.1.1503 (Core) George Boyce, SAIC/NICS GCC Systems Support NASA GSFC Code 762
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
