[Freeipa-users] Re: Permissions not working in plugin

Fri, 17 Nov 2023 06:23:35 -0800 

Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
> Hi,
> 
> I wrote the following code to assign read permissions to an object I created: 
> 
> @register()
> class domain(LDAPObject):
>     """
>     Global postfix configuration (e.g virtual domains)
>     """
>     object_name = _('postfix configuration')
>     default_attributes = [
>         'cn','domainQuota','status','isBackupMx','maxAliases'
>     ]
>     container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn', 
> 'etc'))
>     permission_filter_objectclasses = ["postfixDomain"]
>     object_class = ['postfixDomain']
>     search_attributes = [ 'cn','domainQuota','status' ]
>     label = _('Domains')
>     label_singular = _('Domain')
>     managed_permissions = {
>            'System: Read Domain': {
>               
>                'ipapermbindruletype': 'all',
>                'ipapermtarget': DN(('cn', 'postfixadmin'),('cn', 
> 'mailserver'), ('cn', 'etc'),api.env.basedn),
>                #'replaces_global_anonymous_aci': True,
>                'ipapermright': {'read', 'search', 'compare'},
>                'ipapermdefaultattr': {
>                    'cn', 'objectclass' 
> ,'status','isBackupMx','domainQuota','maxAliases'
>                },
>                'default_privileges': {'Postfixadmin Readers'}
>            }
>            }
> 
> 
> It is followed by the following code on an update file: 
> 
> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX
> default: objectClass: groupofnames
> default: objectClass: nestedgroup
> default: objectClass: top
> default: cn: Postfixadmin Readers
> default: description: Reading of mail accounts and attributes
> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX
> 
> 
> plugin: update_managed_permissions
> 
> 
> It seems to be correct, as:
> 
> [root@ipa /]# ipa permission-show
> Permission name: System: Read Domain
>   Permission name: System: Read Domain
>   Granted rights: read, search, compare
>   Effective attributes: cn, createtimestamp, domainquota, entryusn, 
> isbackupmx, maxaliases, modifytimestamp, objectclass,
>                         postfixdomain, status
>   Default attributes: postfixdomain, cn, isbackupmx, status, domainquota, 
> objectclass, maxaliases
>   Bind rule type: all
>   Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
>   Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
>   Type: domain
>   Permission flags: SYSTEM, V2, MANAGED
>   Granted to Privilege: Postfixadmin Readers
> [root@ipa /]# ipa privilege-show
> Privilege name: Postfixadmin Readers
>   Privilege name: Postfixadmin Readers
>   Description: Reading of mail accounts and attributes
>   Permissions: System: Read Alias Data, System: Read Mailbox data, System: 
> Read Domain
> 
> But the attributes ‘status’ and  ‘isBackupMx’ are not showing when searching 
> with a system account: 
> 
> root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D 
> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b 
> cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2 
> cn=domain.test
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope 
> subtree
> # filter: cn=domain.test
> # requesting: ALL
> #
> 
> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test
> dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> cn: domain.test
> objectClass: postfixDomain
> objectClass: nsContainer
> objectClass: top
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> When searching with an admin user: 
> 
> [root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test
> SASL/GSSAPI authentication started
> SASL username: ad...@ipa.test
> SASL SSF: 256
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=ipa,dc=test> with scope subtree
> # filter: cn=domain.test
> # requesting: ALL
> #
> 
> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test
> dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> cn: domain.test
> isBackupMx: FALSE
> objectClass: postfixDomain
> objectClass: nsContainer
> objectClass: top
> status: TRUE
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> I have the exact same code for other objects, and I get to see the attributes 
> that are part of an objectclass for that object. But this one, somehow, is 
> not working.
> 
> Any tips?

Is the sysaccount user a member of the role, privilege or permission
granting access to these attributes?

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to