On 14/11/2023 08.48, Francis Augusto Medeiros-Logeay via FreeIPA-users
wrote:
On Nov 14, 2023, at 07:39, Christian Heimes via FreeIPA-users
<[email protected]> wrote:
I noticed that your plugin creates a bunch of managed permissions, but has no update code
to wire them to privileges and roles. You have to add your permissions to a privilege,
either with "default_privileges" in the managed permission or manually with an
LDAP update. My code has some examples:
https://github.com/podengo-project/ipa-hcc/blob/4a3998191099ef062fe54d7e1ca64ef31b0338be/install/server/updates/85-hcc.update#L59
Thanks a lot for your answer.
I am a bit confused here. What should be an appropriate default_privileges
value so that a system account can read all the entries/attributes below
cn=mailserver,cn=etc?
Who should be allowed to access the fields? All principals (users,
services, hosts, sys accounts) or a limited subset of principals?
Thank you Christian. Does it mean that the
cn=postfixadmin,cn=mailserver,cn=etc,$SUFFIX also needs an «only» statement?
Yes, you need to create the RDN attribute for all entries, either with
"only" or "default".
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
