On 13/11/2023 22.43, Francis Augusto Medeiros-Logeay via FreeIPA-users
wrote:
I’d love if someone could please point me to the right direction to
manage these permissions so that my binding user can see attributes
and entries.
The underlying acis are likely not created yet. Run ipa-server-upgrade
which should create them.
FWIW, the ACIs are created by "plugin: update_managed_permissions" call
in the updates. The update plugin creates and updates ACIs.
Thanks a lot Rob. It worked for the user attribute (postfixMailAddress).
But the entries under cn=postfixadmin,cn=mailserver,cn=etc aren't
visible for the binding user. is there anything wrong with the code?
I noticed that your plugin creates a bunch of managed permissions, but
has no update code to wire them to privileges and roles. You have to add
your permissions to a privilege, either with "default_privileges" in the
managed permission or manually with an LDAP update. My code has some
examples:
https://github.com/podengo-project/ipa-hcc/blob/4a3998191099ef062fe54d7e1ca64ef31b0338be/install/server/updates/85-hcc.update#L59
I noticed that your 75-mailserver.update has a bug. You are not
assigning a value to the RDN "cn" attribute. You want:
dn: cn=mailserver,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
only: cn: mailserver
Also you are creating new objects for default attributes and managed
permissions. Instead you should extend / update the existing objects:
user.default_attributes.extend(['alias', ...])
user.managed_permissions.update(
{
'System: Read User Mail Attributes': {...},
}
)
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
