Hi,
I wrote the following code to assign read permissions to an object I created:
@register()
class domain(LDAPObject):
"""
Global postfix configuration (e.g virtual domains)
"""
object_name = _('postfix configuration')
default_attributes = [
'cn','domainQuota','status','isBackupMx','maxAliases'
]
container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn',
'etc'))
permission_filter_objectclasses = ["postfixDomain"]
object_class = ['postfixDomain']
search_attributes = [ 'cn','domainQuota','status' ]
label = _('Domains')
label_singular = _('Domain')
managed_permissions = {
'System: Read Domain': {
'ipapermbindruletype': 'all',
'ipapermtarget': DN(('cn', 'postfixadmin'),('cn', 'mailserver'),
('cn', 'etc'),api.env.basedn),
#'replaces_global_anonymous_aci': True,
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass'
,'status','isBackupMx','domainQuota','maxAliases'
},
'default_privileges': {'Postfixadmin Readers'}
}
}
It is followed by the following code on an update file:
dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX
default: objectClass: groupofnames
default: objectClass: nestedgroup
default: objectClass: top
default: cn: Postfixadmin Readers
default: description: Reading of mail accounts and attributes
add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX
plugin: update_managed_permissions
It seems to be correct, as:
[root@ipa /]# ipa permission-show
Permission name: System: Read Domain
Permission name: System: Read Domain
Granted rights: read, search, compare
Effective attributes: cn, createtimestamp, domainquota, entryusn, isbackupmx,
maxaliases, modifytimestamp, objectclass,
postfixdomain, status
Default attributes: postfixdomain, cn, isbackupmx, status, domainquota,
objectclass, maxaliases
Bind rule type: all
Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
Type: domain
Permission flags: SYSTEM, V2, MANAGED
Granted to Privilege: Postfixadmin Readers
[root@ipa /]# ipa privilege-show
Privilege name: Postfixadmin Readers
Privilege name: Postfixadmin Readers
Description: Reading of mail accounts and attributes
Permissions: System: Read Alias Data, System: Read Mailbox data, System: Read
Domain
But the attributes ‘status’ and ‘isBackupMx’ are not showing when searching
with a system account:
root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D
uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b
cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2
cn=domain.test
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope subtree
# filter: cn=domain.test
# requesting: ALL
#
# med-lo.eu, postfixadmin, mailserver, etc, ipa.test
dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
cn: domain.test
objectClass: postfixDomain
objectClass: nsContainer
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
When searching with an admin user:
[root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=test> with scope subtree
# filter: cn=domain.test
# requesting: ALL
#
# med-lo.eu, postfixadmin, mailserver, etc, ipa.test
dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test
cn: domain.test
isBackupMx: FALSE
objectClass: postfixDomain
objectClass: nsContainer
objectClass: top
status: TRUE
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I have the exact same code for other objects, and I get to see the attributes
that are part of an objectclass for that object. But this one, somehow, is not
working.
Any tips?
Best,
Francis
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
