Hello,
We are currently deploying FreeIPA and we make use of custom attributes.
We defined them in custom.py script (located in
/usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py
looks like this:
from ipaserver.plugins.user import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
user.user.takes_params = user.user.takes_params + (
Str('mailroutingaddress?',
cli_name='mailroutingaddress'
label=_('Mail routing address'),)
)
This works fine, server makes the attribute visible through API and also
the "ipa" command can work with it. Basically, we made those attributes
part of our default.
However, users (ordinary user in FreeIPA and also sysaccounts) cannot
access those attributes when binding directly to the LDAP. This is due
to ACI that FreeIPA writes into the LDAP.
I know that in FreeIPA:
* For user himself, ldap://self filter can be defined with "ipa
selfservice-add 'some name' --attrs=mailroutingaddress
--permissions=read" .
* For user to read attributes of other users, I can define permission,
privilege and role and add this role to a user or group.
* For sysaccounts, it is advised to define custom ACI in the LDAP itself.
What I am thinking of: Is there any way that I can make FreeIPA
re-generate its LDAP ACI based on our extended user class? Say let the
IPA server load our custom.py which extends "user" with
"mailroutingaddress" attribute and then call "ipa whatever" which
effectively modifies FreeIPA's notion of user class and redefines the ACI?
Kind regards,
--
Petr Fišer
BCV solutions s.r.o.
Mobile: +420 607 618 243
E-mail: petr.fi...@bcvsolutions.eu
Jabber: petr.fi...@bcvsolutions.eu
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
