That sounds exactly like what we need.
Thank you very much,
On 08/03/2017 06:01 PM, Alexander Bokovoy wrote:
On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote:
We are currently deploying FreeIPA and we make use of custom attributes.
We defined them in custom.py script (located in
custom.py looks like this:
from ipaserver.plugins.user import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
user.user.takes_params = user.user.takes_params + (
label=_('Mail routing address'),)
This works fine, server makes the attribute visible through API and
also the "ipa" command can work with it. Basically, we made those
attributes part of our default.
However, users (ordinary user in FreeIPA and also sysaccounts) cannot
access those attributes when binding directly to the LDAP. This is
due to ACI that FreeIPA writes into the LDAP.
I know that in FreeIPA:
* For user himself, ldap://self filter can be defined with "ipa
selfservice-add 'some name' --attrs=mailroutingaddress
* For user to read attributes of other users, I can define permission,
privilege and role and add this role to a user or group.
* For sysaccounts, it is advised to define custom ACI in the LDAP
What I am thinking of: Is there any way that I can make FreeIPA
re-generate its LDAP ACI based on our extended user class? Say let
the IPA server load our custom.py which extends "user" with
"mailroutingaddress" attribute and then call "ipa whatever" which
effectively modifies FreeIPA's notion of user class and redefines the
You can use an approach I choose in FleetCommander plugin:
In server plugin you'd define managed permissions:
Then when ipa-server-upgrade is run these permissions are automatically
converted into ACIs for any plugins.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org