Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > >> On Nov 17, 2023, at 15:23, Rob Crittenden via FreeIPA-users >> <[email protected]> wrote: >> >> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>> Hi, >>> >>> I wrote the following code to assign read permissions to an object I >>> created: >>> >>> @register() >>> class domain(LDAPObject): >>> """ >>> Global postfix configuration (e.g virtual domains) >>> """ >>> object_name = _('postfix configuration') >>> default_attributes = [ >>> 'cn','domainQuota','status','isBackupMx','maxAliases' >>> ] >>> container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn', >>> 'etc')) >>> permission_filter_objectclasses = ["postfixDomain"] >>> object_class = ['postfixDomain'] >>> search_attributes = [ 'cn','domainQuota','status' ] >>> label = _('Domains') >>> label_singular = _('Domain') >>> managed_permissions = { >>> 'System: Read Domain': { >>> >>> 'ipapermbindruletype': 'all', >>> 'ipapermtarget': DN(('cn', 'postfixadmin'),('cn', >>> 'mailserver'), ('cn', 'etc'),api.env.basedn), >>> #'replaces_global_anonymous_aci': True, >>> 'ipapermright': {'read', 'search', 'compare'}, >>> 'ipapermdefaultattr': { >>> 'cn', 'objectclass' >>> ,'status','isBackupMx','domainQuota','maxAliases' >>> }, >>> 'default_privileges': {'Postfixadmin Readers'} >>> } >>> } >>> >>> >>> It is followed by the following code on an update file: >>> >>> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX >>> default: objectClass: groupofnames >>> default: objectClass: nestedgroup >>> default: objectClass: top >>> default: cn: Postfixadmin Readers >>> default: description: Reading of mail accounts and attributes >>> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX >>> >>> >>> plugin: update_managed_permissions >>> >>> >>> It seems to be correct, as: >>> >>> [root@ipa /]# ipa permission-show >>> Permission name: System: Read Domain >>> Permission name: System: Read Domain >>> Granted rights: read, search, compare >>> Effective attributes: cn, createtimestamp, domainquota, entryusn, >>> isbackupmx, maxaliases, modifytimestamp, objectclass, >>> postfixdomain, status >>> Default attributes: postfixdomain, cn, isbackupmx, status, domainquota, >>> objectclass, maxaliases >>> Bind rule type: all >>> Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>> Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>> Type: domain >>> Permission flags: SYSTEM, V2, MANAGED >>> Granted to Privilege: Postfixadmin Readers >>> [root@ipa /]# ipa privilege-show >>> Privilege name: Postfixadmin Readers >>> Privilege name: Postfixadmin Readers >>> Description: Reading of mail accounts and attributes >>> Permissions: System: Read Alias Data, System: Read Mailbox data, System: >>> Read Domain >>> >>> But the attributes ‘status’ and ‘isBackupMx’ are not showing when >>> searching with a system account: >>> >>> root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D >>> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b >>> cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2 >>> cn=domain.test >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope >>> subtree >>> # filter: cn=domain.test >>> # requesting: ALL >>> # >>> >>> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >>> dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>> cn: domain.test >>> objectClass: postfixDomain >>> objectClass: nsContainer >>> objectClass: top >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> When searching with an admin user: >>> >>> [root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test >>> SASL/GSSAPI authentication started >>> SASL username: [email protected] >>> SASL SSF: 256 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <dc=ipa,dc=test> with scope subtree >>> # filter: cn=domain.test >>> # requesting: ALL >>> # >>> >>> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >>> dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>> cn: domain.test >>> isBackupMx: FALSE >>> objectClass: postfixDomain >>> objectClass: nsContainer >>> objectClass: top >>> status: TRUE >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> I have the exact same code for other objects, and I get to see the >>> attributes that are part of an objectclass for that object. But this one, >>> somehow, is not working. >>> >>> Any tips? >> >> Is the sysaccount user a member of the role, privilege or permission >> granting access to these attributes? >> >> rob > > I think so: > > I had this on my update file: > >> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX >> default: objectClass: groupofnames >> default: objectClass: nestedgroup >> default: objectClass: top >> default: cn: Postfixadmin Readers >> default: description: Reading of mail accounts and attributes >> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX
Ah I missed that. So you want to add the actual sysaccount user as a member. You added the sysaccounts container. > > So I’d imagine it would work this way. > > I changed the binding type to anonymous, and it works now. I wouldn't recommend that. It means anyone can read your postfix configuration. And I mean anyone who can connect to your LDAP server. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
