That sounds exactly like what we need.
Thank you very much,

Petr Fišer

On 08/03/2017 06:01 PM, Alexander Bokovoy wrote:
On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote:
We are currently deploying FreeIPA and we make use of custom attributes.
We defined them in script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/ looks like this:

from ipaserver.plugins.user import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
user.user.takes_params = user.user.takes_params + (
   label=_('Mail routing address'),)

This works fine, server makes the attribute visible through API and also the "ipa" command can work with it. Basically, we made those attributes part of our default. However, users (ordinary user in FreeIPA and also sysaccounts) cannot access those attributes when binding directly to the LDAP. This is due to ACI that FreeIPA writes into the LDAP.

I know that in FreeIPA:

* For user himself, ldap://self filter can be defined with "ipa
  selfservice-add 'some name' --attrs=mailroutingaddress
  --permissions=read" .
* For user to read attributes of other users, I can define permission,
  privilege and role and add this role to a user or group.
* For sysaccounts, it is advised to define custom ACI in the LDAP itself.

What I am thinking of: Is there any way that I can make FreeIPA re-generate its LDAP ACI based on our extended user class? Say let the IPA server load our which extends "user" with "mailroutingaddress" attribute and then call "ipa whatever" which effectively modifies FreeIPA's notion of user class and redefines the ACI?
You can use an approach I choose in FleetCommander plugin:

In server plugin you'd define managed permissions:

Then when ipa-server-upgrade is run these permissions are automatically
converted into ACIs for any plugins.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to