> On Nov 14, 2023, at 09:18, Francis Augusto Medeiros-Logeay via FreeIPA-users > <[email protected]> wrote: > > > >> On Nov 14, 2023, at 09:14, Christian Heimes via FreeIPA-users >> <[email protected]> wrote: >> >> On 14/11/2023 08.48, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>> On Nov 14, 2023, at 07:39, Christian Heimes via FreeIPA-users >>>> <[email protected]> wrote: >>>> >>>> >>>> I noticed that your plugin creates a bunch of managed permissions, but has >>>> no update code to wire them to privileges and roles. You have to add your >>>> permissions to a privilege, either with "default_privileges" in the >>>> managed permission or manually with an LDAP update. My code has some >>>> examples: >>>> >>>> https://github.com/podengo-project/ipa-hcc/blob/4a3998191099ef062fe54d7e1ca64ef31b0338be/install/server/updates/85-hcc.update#L59 >>> Thanks a lot for your answer. >>> I am a bit confused here. What should be an appropriate default_privileges >>> value so that a system account can read all the entries/attributes below >>> cn=mailserver,cn=etc? >> >> Who should be allowed to access the fields? All principals (users, services, >> hosts, sys accounts) or a limited subset of principals? > > Any authenticated user. I have this system account > cn=system,cn=sysaccounts,cn=etc that I use for reading only attributes, That > entry do’esnt see any entry (besides postfixDomain object classes) under the > tree we mention. >>
I managed: I created a privilege for the system accounts on the update file: dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX default: objectClass: groupofnames default: objectClass: nestedgroup default: objectClass: top only: cn: Postfixadmin Readers default: description: Reading of mail accounts and attributes add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX And then I added my managed_permission to this privilege with the default_privileges. >>> Thank you Christian. Does it mean that the >>> cn=postfixadmin,cn=mailserver,cn=etc,$SUFFIX also needs an «only» >>> statement? > >> Yes, you need to create the RDN attribute for all entries, either with >> "only" or "default". > > Thanks! What’s the difference between only and default, since we’re here? :) > > Best, > > Francis > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
