Re: ACI - on OU services didn't match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Yes the command: dsidm my-ds service create --cn test --description " test user"

Where my-ds IS a configuration stored on /root/.dsa file that point to my admin user. 

Best regards 

Le mar. 10 oct. 2023 à 20:14, Rob Crittenden <rcritten@xxxxxxxxxx> a écrit :
Nizar Montassar wrote:
> Hello All,
> I have added three ACI to authorize a group of permission to manage my Service OU like this:
>
> # To modify attrubutes
>
> dn: ou=services,dc=xxx,dc=yyy
> aci: (targetattr="description ||  cn || memberOf || nsUniqueId || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable user modify to change services"; allow (write, read)(groupdn="ldap:///cn=service_modify,ou=permissions,dc=xxx,dc=yyy");)
> # To permit password reset
> dn: ou=services,dc=xxx,dc=yyy
> aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service password reset"; allow (write, read)(groupdn="ldap:///cn=service_passwd_reset,ou=permissions,dc=xxx,dc=yyy");)
> # to allow service account creation
>
> dn: ou=services,dc=xxx,dc=yyy
> aci: (targetattr="objectClass || description || nsUniqueId || cn || memberOf || nsAccountLock")(targetfilter="(&(objectClass=nsAccount)(objectClass=nsMemberOf)(objectClass=netscapeServer))")(version 3.0; acl "Enable service admin account create"; allow (write, add, delete, read)(groupdn="ldap:///cn=service_admin,ou=permissions,dc=xxx,dc=yyy");)
>
> Then I have created those groups under the permission OU like this:
> cn=servce_admin,ou=permissions,dc=xxx,dc=yyy
> cn=servce_modify,ou=permissions,dc=xxx,dc=yyy
> cn=servce_passwd_reset,ou=permissions,dc=xxx,dc=yyy
>
> And I have addedd my administrator users on those group.
>
> When testing to createt a service account using one of my adinistrator user th got this error:
> "Error: 105 - 3 - 50 - Insufficient access - [] - Insufficient 'add' privilege to add the entry 'cn=test,ou=Services,dc=xxx,dc=yyy'.
>
> If I andrestend cery well this message: the ACI didn't take effect on the service OU.
> On my log files there no information, I tried th run my creation command on debbug modeand also the same output.
>
> I need your help on this issue.

It would be helpful to see the entry you were trying to create.

rob

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux