Hello All, I have added three ACI to authorize a group of permission to manage my Service OU like this:
# To modify attrubutes
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="description || cn || memberOf || nsUniqueId || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");) # To permit password reset dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");) # to allow service account creation
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
Then I have created those groups under the permission OU like this: cn=servce_admin,ou=permissions,dc=xxx,dc=yyy cn=servce_modify,ou=permissions,dc=xxx,dc=yyy cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
And I have addedd my administrator users on those group.
When testing to createt a service account using one of my adinistrator user th got this error: "Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
If I andrestend cery well this message: the ACI didn't take effect on the service OU. On my log files there no information, I tried th run my creation command on debbug modeand also the same output.
I need your help on this issue.
Best Regards
Nizar Montassar wrote:
Hello All, I have added three ACI to authorize a group of permission to manage my Service OU like this:
# To modify attrubutes
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="description || cn || memberOf || nsUniqueId || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");) # To permit password reset dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");) # to allow service account creation
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
Then I have created those groups under the permission OU like this: cn=servce_admin,ou=permissions,dc=xxx,dc=yyy cn=servce_modify,ou=permissions,dc=xxx,dc=yyy cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
And I have addedd my administrator users on those group.
When testing to createt a service account using one of my adinistrator user th got this error: "Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
If I andrestend cery well this message: the ACI didn't take effect on the service OU. On my log files there no information, I tried th run my creation command on debbug modeand also the same output.
I need your help on this issue.
It would be helpful to see the entry you were trying to create.
rob
Hello,
Yes the command: dsidm my-ds service create --cn test --description " test user"
Where my-ds IS a configuration stored on /root/.dsa file that point to my admin user.
Best regards
Le mar. 10 oct. 2023 à 20:14, Rob Crittenden rcritten@redhat.com a écrit :
Nizar Montassar wrote:
Hello All, I have added three ACI to authorize a group of permission to manage my
Service OU like this:
# To modify attrubutes
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="description || cn || memberOf || nsUniqueId ||
nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");)
# To permit password reset dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="userPassword || nsAccountLock || userCertificate ||
nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");)
# to allow service account creation
dn: ou=services,dc=xxx,dc=yyy aci: (targetattr="objectClass || description || nsUniqueId || cn ||
memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
Then I have created those groups under the permission OU like this: cn=servce_admin,ou=permissions,dc=xxx,dc=yyy cn=servce_modify,ou=permissions,dc=xxx,dc=yyy cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
And I have addedd my administrator users on those group.
When testing to createt a service account using one of my adinistrator
user th got this error:
"Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add'
privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
If I andrestend cery well this message: the ACI didn't take effect on
the service OU.
On my log files there no information, I tried th run my creation command
on debbug modeand also the same output.
I need your help on this issue.
It would be helpful to see the entry you were trying to create.
rob
389-users@lists.fedoraproject.org