> On Nov 17, 2023, at 17:04, Rob Crittenden <[email protected]> wrote: > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >> >> >>> On Nov 17, 2023, at 15:23, Rob Crittenden via FreeIPA-users >>> <[email protected]> wrote: >>> >>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>> Hi, >>>> >>>> I wrote the following code to assign read permissions to an object I >>>> created: >>>> >>>> @register() >>>> class domain(LDAPObject): >>>> """ >>>> Global postfix configuration (e.g virtual domains) >>>> """ >>>> object_name = _('postfix configuration') >>>> default_attributes = [ >>>> 'cn','domainQuota','status','isBackupMx','maxAliases' >>>> ] >>>> container_dn = DN(('cn', 'postfixadmin'), ('cn', 'mailserver'), ('cn', >>>> 'etc')) >>>> permission_filter_objectclasses = ["postfixDomain"] >>>> object_class = ['postfixDomain'] >>>> search_attributes = [ 'cn','domainQuota','status' ] >>>> label = _('Domains') >>>> label_singular = _('Domain') >>>> managed_permissions = { >>>> 'System: Read Domain': { >>>> >>>> 'ipapermbindruletype': 'all', >>>> 'ipapermtarget': DN(('cn', 'postfixadmin'),('cn', >>>> 'mailserver'), ('cn', 'etc'),api.env.basedn), >>>> #'replaces_global_anonymous_aci': True, >>>> 'ipapermright': {'read', 'search', 'compare'}, >>>> 'ipapermdefaultattr': { >>>> 'cn', 'objectclass' >>>> ,'status','isBackupMx','domainQuota','maxAliases' >>>> }, >>>> 'default_privileges': {'Postfixadmin Readers'} >>>> } >>>> } >>>> >>>> >>>> It is followed by the following code on an update file: >>>> >>>> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX >>>> default: objectClass: groupofnames >>>> default: objectClass: nestedgroup >>>> default: objectClass: top >>>> default: cn: Postfixadmin Readers >>>> default: description: Reading of mail accounts and attributes >>>> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX >>>> >>>> >>>> plugin: update_managed_permissions >>>> >>>> >>>> It seems to be correct, as: >>>> >>>> [root@ipa /]# ipa permission-show >>>> Permission name: System: Read Domain >>>> Permission name: System: Read Domain >>>> Granted rights: read, search, compare >>>> Effective attributes: cn, createtimestamp, domainquota, entryusn, >>>> isbackupmx, maxaliases, modifytimestamp, objectclass, >>>> postfixdomain, status >>>> Default attributes: postfixdomain, cn, isbackupmx, status, domainquota, >>>> objectclass, maxaliases >>>> Bind rule type: all >>>> Subtree: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>>> Target DN: cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>>> Type: domain >>>> Permission flags: SYSTEM, V2, MANAGED >>>> Granted to Privilege: Postfixadmin Readers >>>> [root@ipa /]# ipa privilege-show >>>> Privilege name: Postfixadmin Readers >>>> Privilege name: Postfixadmin Readers >>>> Description: Reading of mail accounts and attributes >>>> Permissions: System: Read Alias Data, System: Read Mailbox data, System: >>>> Read Domain >>>> >>>> But the attributes ‘status’ and ‘isBackupMx’ are not showing when >>>> searching with a system account: >>>> >>>> root@dbb25e3571bd:/etc/postfix/ldap# ldapsearch -D >>>> uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=test -W -b >>>> cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test -H ldap://172.17.0.2 >>>> cn=domain.test >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test> with scope >>>> subtree >>>> # filter: cn=domain.test >>>> # requesting: ALL >>>> # >>>> >>>> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >>>> dn: cn=domain.test.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>>> cn: domain.test >>>> objectClass: postfixDomain >>>> objectClass: nsContainer >>>> objectClass: top >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> When searching with an admin user: >>>> >>>> [root@ipa /]# ldapsearch -b dc=ipa,dc=test cn=domain.test >>>> SASL/GSSAPI authentication started >>>> SASL username: [email protected] >>>> SASL SSF: 256 >>>> SASL data security layer installed. >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <dc=ipa,dc=test> with scope subtree >>>> # filter: cn=domain.test >>>> # requesting: ALL >>>> # >>>> >>>> # med-lo.eu, postfixadmin, mailserver, etc, ipa.test >>>> dn: cn=med-lo.eu,cn=postfixadmin,cn=mailserver,cn=etc,dc=ipa,dc=test >>>> cn: domain.test >>>> isBackupMx: FALSE >>>> objectClass: postfixDomain >>>> objectClass: nsContainer >>>> objectClass: top >>>> status: TRUE >>>> >>>> # search result >>>> search: 4 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> I have the exact same code for other objects, and I get to see the >>>> attributes that are part of an objectclass for that object. But this one, >>>> somehow, is not working. >>>> >>>> Any tips? >>> >>> Is the sysaccount user a member of the role, privilege or permission >>> granting access to these attributes? >>> >>> rob >> >> I think so: >> >> I had this on my update file: >> >>> dn: cn=Postfixadmin Readers,cn=privileges,cn=pbac,$SUFFIX >>> default: objectClass: groupofnames >>> default: objectClass: nestedgroup >>> default: objectClass: top >>> default: cn: Postfixadmin Readers >>> default: description: Reading of mail accounts and attributes >>> add: member: cn=sysaccounts,cn=etc,cn=accounts,$SUFFIX > > Ah I missed that. So you want to add the actual sysaccount user as a > member. You added the sysaccounts container.
But it worked for other objects to add the container and not the user, so all system users can read the values. I don’t understand why it didn’t work for thus object. > >> >> So I’d imagine it would work this way. >> >> I changed the binding type to anonymous, and it works now. > > I wouldn't recommend that. It means anyone can read your postfix > configuration. And I mean anyone who can connect to your LDAP server. I imagined that. But I just couldn’t make it work any other way. I will try again with `all` instead of `anonymous` to see if it works now. UPDATE: it works now. I deleted the previous permission with ldapdelete, and applied the plugin again. And it just worked! Best, Francis -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
