Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
> Hi,
>
> I wrote the following code to assign read permissions to an object I created:
>
> @register()
> class domain(LDAPObject):
> """
> Global postfix configuration (e.g virtual domains)
> """
> object_name = _('postfix configuration')
> default_attributes = [
> 'cn','domainQuota','status','isBackupMx','maxAliases'
> ]
> container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn',
> 'etc'))
> permission_filter_objectclasses = ["postfixDomain"]
> object_class = ['postfixDomain']
> search_attributes = [ 'cn','domainQuota','status' ]
> label = _('Domains')
> label_singular = _('Domain')
> managed_permissions = {
> 'System: Read Domain': {
>
> 'ipapermbindruletype': 'all',
> 'ipapermtarget': DN(('cn', 'postfixadmin'),('cn',
> 'mailserver'), ('cn', 'etc'),api.env.basedn),
> #'replaces_global_anonymous_aci': True,
> 'ipapermright': {'read', 'search', 'compare'},
> 'ipapermdefaultattr': {
> 'cn', 'objectclass'
> ,'status','isBackupMx','domainQuota','maxAliases'
> },
> 'default_privileges': {'Postfixadmin Readers'}
> }
> }
>
>
> It is followed by the following code on an update file:
>
> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX
> default: objectClass: groupofnames
> default: objectClass: nestedgroup
> default: objectClass: top
> default: cn: Postfixadmin Readers
> default: description: Reading of mail accounts and attributes
> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX
>
>
> plugin: update_managed_permissions
>
>
> It seems to be correct, as:
>
> [root@ipa /]# ipa permission-show
> Permission name: System: Read Domain
> Permission name: System: Read Domain
> Granted rights: read, search, compare
> Effective attributes: cn, createtimestamp, domainquota, entryusn,
> isbackupmx, maxaliases, modifytimestamp, objectclass,
> postfixdomain, status
> Default attributes: postfixdomain, cn, isbackupmx, status, domainquota,
> objectclass, maxaliases
> Bind rule type: all
> Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> Type: domain
> Permission flags: SYSTEM, V2, MANAGED
> Granted to Privilege: Postfixadmin Readers
> [root@ipa /]# ipa privilege-show
> Privilege name: Postfixadmin Readers
> Privilege name: Postfixadmin Readers
> Description: Reading of mail accounts and attributes
> Permissions: System: Read Alias Data, System: Read Mailbox data, System:
> Read Domain
>
> But the attributes ‘status’ and ‘isBackupMx’ are not showing when searching
> with a system account:
>
> root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D
> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b
> cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2
> cn=domain.test
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope
> subtree
> # filter: cn=domain.test
> # requesting: ALL
> #
>
> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test
> dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> cn: domain.test
> objectClass: postfixDomain
> objectClass: nsContainer
> objectClass: top
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> When searching with an admin user:
>
> [root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test
> SASL/GSSAPI authentication started
> SASL username: [email protected]
> SASL SSF: 256
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=ipa,dc=test> with scope subtree
> # filter: cn=domain.test
> # requesting: ALL
> #
>
> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test
> dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
> cn: domain.test
> isBackupMx: FALSE
> objectClass: postfixDomain
> objectClass: nsContainer
> objectClass: top
> status: TRUE
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> I have the exact same code for other objects, and I get to see the attributes
> that are part of an objectclass for that object. But this one, somehow, is
> not working.
>
> Any tips?
Is the sysaccount user a member of the role, privilege or permission
granting access to these attributes?
rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
