# ldapmodify -x -D 'cn=Directory Manager' -W dn:
uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add
objectclass: account objectclass: simplesecurityobject uid: system
userPassword: secret123 passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0 <blank line> ^D

That is how I created the user, it is from the doc of freeipa - the user is
just named a bit differently (system2)



sent from my mobile

Am 22.06.2017 9:56 nachm. schrieb "Alexander Bokovoy via FreeIPA-users" <
freeipa-users@lists.fedorahosted.org>:

> On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
>
>> Jens Laufer via FreeIPA-users wrote:
>>
>>> Hello,
>>>
>>> iam very happy that i got nextcloud connected to freeipa over ldap. It
>>> seems to work nearly perfect now, the only thing i wont get worked is to
>>> pull the mail from freeipa and add it to nextcloud.
>>>
>>> I tried to use the field mail but that seem to be empty.
>>>
>>> My configuration is nearly the same as here
>>> http://poorlydocumented.com/2017/02/integrating-nextcloud-11
>>> -with-freeipa-4/
>>>
>>
>> What this blog is lacking is how to grant read access to the users for
>> this system LDAP account (assuming freeIPA 4+). What did you do to grant
>> that?
>>
>> I wonder if it simply can't read the mail attribute.
>>
> Yes, it cannot but with a twist. We've been through this on IRC some
> time ago -- authenticated users can read a bunch of an address book
> attributes only if a query filter specifies (objectclass=posixaccount):
>
> dn: cn=users,cn=accounts,dc=ipa,dc=example
> aci: (targetattr = "audio || businesscategory || carlicense ||
> departmentnumber || destinationindicator || employeenumber || employeetype
> || facsimiletelephonenumber || homephone || homepostaladdress ||
> inetuserhttpurl || inetuserstatus || internationalisdnnumber ||
> ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o || ou
> || pager || photo || physicaldeliveryofficename || postaladdress ||
> postalcode || postofficebox || preferreddeliverymethod || preferredlanguage
> || registeredaddress || roomnumber || secretary || seealso || st || street
> || telephonenumber || teletexterminalidentifier || telexnumber ||
> usercertificate || usersmimecertificate || x121address ||
> x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version
> 3.0;acl "permission:System: Read User Addressbook Attributes";allow
> (compare,read,search) userdn = "ldap:///all";;)
>
> If a query filter has no (objectclass=posixaccount), it does not get
> these rights granted, so no access to any of the attributes on the list.
>
> I wonder if targetfilter limitation is useful here.
>
> --
> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to