On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote:
Hello,
We are currently deploying FreeIPA and we make use of custom attributes.
We defined them in custom.py script (located in
/usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py).
custom.py looks like this:
from ipaserver.plugins.user import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
user.user.takes_params = user.user.takes_params + (
Str('mailroutingaddress?',
cli_name='mailroutingaddress'
label=_('Mail routing address'),)
)
This works fine, server makes the attribute visible through API and
also the "ipa" command can work with it. Basically, we made those
attributes part of our default.
However, users (ordinary user in FreeIPA and also sysaccounts) cannot
access those attributes when binding directly to the LDAP. This is due
to ACI that FreeIPA writes into the LDAP.
I know that in FreeIPA:
* For user himself, ldap://self filter can be defined with "ipa
selfservice-add 'some name' --attrs=mailroutingaddress
--permissions=read" .
* For user to read attributes of other users, I can define permission,
privilege and role and add this role to a user or group.
* For sysaccounts, it is advised to define custom ACI in the LDAP itself.
What I am thinking of: Is there any way that I can make FreeIPA
re-generate its LDAP ACI based on our extended user class? Say let the
IPA server load our custom.py which extends "user" with
"mailroutingaddress" attribute and then call "ipa whatever" which
effectively modifies FreeIPA's notion of user class and redefines the
ACI?
You can use an approach I choose in FleetCommander plugin:
https://github.com/abbra/freeipa-desktop-profile/
In server plugin you'd define managed permissions:
https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/ipaserver/plugins/deskprofile.py#L146
Then when ipa-server-upgrade is run these permissions are automatically
converted into ACIs for any plugins.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org