On 14/11/2023 08.48, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:

On Nov 14, 2023, at 07:39, Christian Heimes via FreeIPA-users 
<[email protected]> wrote:


I noticed that your plugin creates a bunch of managed permissions, but has no update code 
to wire them to privileges and roles. You have to add your permissions to a privilege, 
either with "default_privileges" in the managed permission or manually with an 
LDAP update. My code has some examples:

https://github.com/podengo-project/ipa-hcc/blob/4a3998191099ef062fe54d7e1ca64ef31b0338be/install/server/updates/85-hcc.update#L59

Thanks a lot for your answer.

I am a bit confused here. What should be an appropriate default_privileges 
value so that a system account can read all the entries/attributes below 
cn=mailserver,cn=etc?

Who should be allowed to access the fields? All principals (users, services, hosts, sys accounts) or a limited subset of principals?

Thank you Christian. Does it mean that the 
cn=postfixadmin,cn=mailserver,cn=etc,$SUFFIX  also needs an «only» statement?

Yes, you need to create the RDN attribute for all entries, either with "only" or "default".

Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
  • [Freeipa-users] Help wit... Francis Augusto Medeiros-Logeay via FreeIPA-users
    • [Freeipa-users] Re:... Rob Crittenden via FreeIPA-users
      • [Freeipa-users]... Francis Augusto Medeiros-Logeay via FreeIPA-users
        • [Freeipa-us... Christian Heimes via FreeIPA-users
          • [Freeip... Francis Augusto Medeiros-Logeay via FreeIPA-users
            • [F... Christian Heimes via FreeIPA-users
              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • ... Christian Heimes via FreeIPA-users
                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users

Reply via email to