> On Nov 17, 2023, at 15:23, Rob Crittenden via FreeIPA-users > <[email protected]> wrote: > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >> Hi, >> >> I wrote the following code to assign read permissions to an object I >> created: >> >> @register() >> class domain(LDAPObject): >> """ >> Global postfix configuration (e.g virtual domains) >> """ >> object_name = _('postfix configuration') >> default_attributes = [ >> 'cn','domainQuota','status','isBackupMx','maxAliases' >> ] >> container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn', >> 'etc')) >> permission_filter_objectclasses = ["postfixDomain"] >> object_class = ['postfixDomain'] >> search_attributes = [ 'cn','domainQuota','status' ] >> label = _('Domains') >> label_singular = _('Domain') >> managed_permissions = { >> 'System: Read Domain': { >> >> 'ipapermbindruletype': 'all', >> 'ipapermtarget': DN(('cn', 'postfixadmin'),('cn', >> 'mailserver'), ('cn', 'etc'),api.env.basedn), >> #'replaces_global_anonymous_aci': True, >> 'ipapermright': {'read', 'search', 'compare'}, >> 'ipapermdefaultattr': { >> 'cn', 'objectclass' >> ,'status','isBackupMx','domainQuota','maxAliases' >> }, >> 'default_privileges': {'Postfixadmin Readers'} >> } >> } >> >> >> It is followed by the following code on an update file: >> >> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX >> default: objectClass: groupofnames >> default: objectClass: nestedgroup >> default: objectClass: top >> default: cn: Postfixadmin Readers >> default: description: Reading of mail accounts and attributes >> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX >> >> >> plugin: update_managed_permissions >> >> >> It seems to be correct, as: >> >> [root@ipa /]# ipa permission-show >> Permission name: System: Read Domain >> Permission name: System: Read Domain >> Granted rights: read, search, compare >> Effective attributes: cn, createtimestamp, domainquota, entryusn, >> isbackupmx, maxaliases, modifytimestamp, objectclass, >> postfixdomain, status >> Default attributes: postfixdomain, cn, isbackupmx, status, domainquota, >> objectclass, maxaliases >> Bind rule type: all >> Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >> Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >> Type: domain >> Permission flags: SYSTEM, V2, MANAGED >> Granted to Privilege: Postfixadmin Readers >> [root@ipa /]# ipa privilege-show >> Privilege name: Postfixadmin Readers >> Privilege name: Postfixadmin Readers >> Description: Reading of mail accounts and attributes >> Permissions: System: Read Alias Data, System: Read Mailbox data, System: >> Read Domain >> >> But the attributes ‘status’ and ‘isBackupMx’ are not showing when searching >> with a system account: >> >> root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D >> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b >> cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2 >> cn=domain.test >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope >> subtree >> # filter: cn=domain.test >> # requesting: ALL >> # >> >> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >> dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >> cn: domain.test >> objectClass: postfixDomain >> objectClass: nsContainer >> objectClass: top >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> When searching with an admin user: >> >> [root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test >> SASL/GSSAPI authentication started >> SASL username: [email protected] >> SASL SSF: 256 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=ipa,dc=test> with scope subtree >> # filter: cn=domain.test >> # requesting: ALL >> # >> >> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >> dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >> cn: domain.test >> isBackupMx: FALSE >> objectClass: postfixDomain >> objectClass: nsContainer >> objectClass: top >> status: TRUE >> >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> I have the exact same code for other objects, and I get to see the >> attributes that are part of an objectclass for that object. But this one, >> somehow, is not working. >> >> Any tips? > > Is the sysaccount user a member of the role, privilege or permission > granting access to these attributes? > > rob
I think so: I had this on my update file: > dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX > default: objectClass: groupofnames > default: objectClass: nestedgroup > default: objectClass: top > default: cn: Postfixadmin Readers > default: description: Reading of mail accounts and attributes > add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX So I’d imagine it would work this way. I changed the binding type to anonymous, and it works now. Best, Francis > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
