On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
iam very happy that i got nextcloud connected to freeipa over ldap. It
seems to work nearly perfect now, the only thing i wont get worked is to
pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here
What this blog is lacking is how to grant read access to the users for
this system LDAP account (assuming freeIPA 4+). What did you do to grant
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a twist. We've been through this on IRC some
time ago -- authenticated users can read a bunch of an address book
attributes only if a query filter specifies (objectclass=posixaccount):
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator ||
employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl ||
inetuserstatus || internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o ||
ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox ||
preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street
|| telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate ||
x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn =
If a query filter has no (objectclass=posixaccount), it does not get
these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
/ Alexander Bokovoy
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org