Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
> Hi,
>
> As I mentioned earlier, I am creating a plugin. My plugin creates the
> following container:
>
> # postfixadmin, mailserver, etc, ipa.test
> dn: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> objectClass: top
> objectClass: nsContainer
> cn: postfixadmin
>
> Domain entries are like this:
>
> # ipa.test, postfixadmin, mailserver, etc, ipa.test
> dn: cn=ipa.test,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> cn: ipa.test
> objectClass: postfixDomain
> objectClass: nsContainer
> objectClass: top
>
> Mailboxes are under a domain:
>
> # francis, ipa.test, postfixadmin, mailserver, etc, ipa.test
> dn: uid=francis,cn=ipa.test,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=te
> st
> uid: francis
> givenName: francis
> sn: Medeiros-Logeay
> objectClass: postfixMailbox
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: inetUser
> objectClass: top
> objectClass: organizationalPerson
> cn: francis Medeiros-Logeay
> postfixMailAddress: fran...@ipa.test
> status: TRUE
>
> And finally aliases:
>
> # testing, ipa.test, postfixadmin, mailserver, etc, ipa.test
> dn: uid=testing,cn=ipa.test,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=te
> st
> uid: testing
> postfixMailDestination: fran...@ipa.test
> status: FALSE
> objectClass: postfixAlias
> objectClass: top
> postfixMailAlias: test...@ipa.test
>
>
> However, when using ldapsearch with a system user and using
> cn=postfixadmin,cn=mailserver,cn=etc,$SUFFIX, I only get the top container
> and the domain. I don’t get any of the other entries. Doing the same with an
> admin gives me all the entries below the mentioned DN.
>
> I am confused about permissions, so I tried to add this to the class «Alias»
> on my plugin code:
>
> managed_permissions = {
> 'System: Read Mail Data': {
> 'ipapermlocation': DN(('cn', 'postfixadmin'), ('cn',
> 'mailserver'), ('cn', 'etc')),
> 'ipapermbindruletype': 'annonymous',
> 'ipapermtarget': DN(('cn', 'postfixadmin'), ('cn',
> 'mailserver'), ('cn', 'etc')),
> 'replaces_global_anonymous_aci': True,
> 'ipapermright': {'read', 'search', 'compare'},
> 'ipapermdefaultattr': {
> 'cn', 'objectclass',
> 'postfixMailAlias', 'postfixMailDestination','uid','dn'
> }
> }
> }
>
> It doesn’t seem to help.
>
> I also added an attribute to my users, called «postfixMailAddress». That
> attribute is also not visible to my system user, despite having added this to
> my code:
>
> user.managed_permissions = {**user.managed_permissions, **{
> 'System: Read User Mail Attributes': {
> 'ipapermbindruletype': 'all ',
> 'ipapermright': {'read', 'search', 'compare'},
> 'ipapermdefaultattr': {
> 'postfixMailAddress', 'status', 'mailquota'
> },
> 'System: Modify User Mail Attributes': {
> 'ipapermbindruletype': 'permission',
> 'ipapermright': {'write', 'add', 'delete'},
> 'ipapermdefaultattr': {
> 'postfixMailAddress', 'status', 'mailquota'
> }
> }
> }}}
>
>
> I’d love if someone could please point me to the right direction to manage
> these permissions so that my binding user can see attributes and entries.
The underlying acis are likely not created yet. Run ipa-server-upgrade
which should create them.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
