-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 05/06/12 14:21, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> On 05/06/12 14:09, Rob Crittenden wrote:
>>> Dale Macartney wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hi all
>>>>
>>>> I may be overlooking something here, but from what I can gather, the
>>>> value in the ipa config of "Default e-mail domain for new users" should
>>>> automatically create the mail attribute for said user upon creation?
>>>>
>>>> Do I need to do an additional step or something to activate the mail
>>>> attribute or is it missing?
>>>>
>>>> Any pointers on what I'm missing to mail-enable a user in ldap?
>>>>
>>>>
>>>> Running RHEL 6.2 x86_64 with ipa-server 2.1.3-9.el6
>>>>
>>>> Output from ipa server as follows
>>>>
>>>> [root@ds01 ~]# ipa config-show
>>>> Max. username length: 32
>>>> Home directory base: /home
>>>> Default shell: /bin/bash
>>>> Default users group: ipausers
>>>> Default e-mail domain for new users: example.com
>>>> Search time limit: 2
>>>> Search size limit: 100
>>>> User search fields: uid,givenname,sn,telephonenumber,ou,title
>>>> Group search fields: cn,description
>>>> Enable migration mode: FALSE
>>>> Certificate Subject base: O=EXAMPLE.COM
>>>> Password Expiration Notification (days): 4
>>>> [root@ds01 ~]#
>>>>
>>>>
>>>>
>>>> [root@ds01 ~]# ldapsearch -x -b dc=example,dc=com -P 3 -b
>>>> "uid=testuser,cn=users,cn=accounts,dc=example,dc=com"
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base<uid=testuser,cn=users,cn=accounts,dc=example,dc=com> with scope
>>>> subtree
>>>> # filter: (objectclass=*)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # testuser, users, accounts, example.com
>>>> dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
>>>> displayName: testuser 1
>>>> cn: testuser 1
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalperson
>>>> objectClass: inetorgperson
>>>> objectClass: inetuser
>>>> objectClass: posixaccount
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbticketpolicyaux
>>>> objectClass: ipaobject
>>>> objectClass: mepOriginEntry
>>>> loginShell: /bin/bash
>>>> sn: 1
>>>> gecos: testuser 1
>>>> homeDirectory: /home/testuser
>>>> krbPwdPolicyReference:
>>>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,
>>>> dc=com
>>>> krbPrincipalName: testu...@example.com
>>>> givenName: testuser
>>>> uid: testuser
>>>> initials: t1
>>>> uidNumber: 1668600004
>>>> gidNumber: 1668600004
>>>> ipaUniqueID: 0d620620-acfd-11e1-943c-52540025e829
>>>> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=example,dc=com
>>>> krbPasswordExpiration: 20120831215158Z
>>>> krbLastPwdChange: 20120602215158Z
>>>> krbExtraData:: AAL+ispPdGVzdHVzZXJARVhBTVBMRS5DT00A
>>>> krbExtraData:: AAgBAA==
>>>> krbLastSuccessfulAuth: 20120602215703Z
>>>> krbLoginFailedCount: 0
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>> [root@ds01 ~]#
>>>
>>> It looks like it isn't creating the mail attribute by default. I opened
>> ticket https://fedorahosted.org/freeipa/ticket/2810
>>>
>>> rob
>>
>> Thanks for pointing out it wasn't me doing something silly ;-)
>>
>> On thinking deeper onto the issue, perhaps it is beneficial not to have
>> it done by default? e.g if I have a mail server accepting mail for ldap
>> lookups for mail entries, this would mean EVERYONE has a mailbox whereas
>> that might not be beneficial in many situations..
>>
>> In the AD side of things, a user has to be mail enabled, in order to
>> become valid for mail purposes.
>>
>> In this situation, I can manually add the mail address with "ipa
>> user-mod --email=testu...@example.com" which does what I was needing.
>>
>> Theres a few reasons for and against having default email access for new
>> users...
>>
>> I'm just bouncing some ideas out loud at the moment. Thoughts?
>>
>
> Our intention was to automatically populate the field if the default
e-mail domain was set. If it wasn't then we'd do nothing.
>
> rob

That does make sense.. As long as the customer has a method of
controlling yay or nay, thats the main thing.

Thanks for clarifying.

Dale

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzggwAAoJEAJsWS61tB+qVTQQAKp/qa3qpstP10GC0nzreYJg
DvWXYLTRqWzy3OoyMK2nqqfLfp1x8JeJdIrQg9UWn4n200ihfHqcoefA8lX9KMMf
YO1ss8gPoBSf25pmsBkLOke22wk/SdahvKWJvxUOWjGzMfCeLFyIMNPO/c2UA9wg
Bzay/jgK5Hl55GDotsW1WEiPJDh2S1OaSqU8ud4/gO10zey6QhKwfp0CBqpyybLq
fmbRf7UA6LFrHUMTyw1JaoA4dYN47JpdGHcOr0JqSgFjB0ODpMqD51YJW3kLCRUc
O5Q/pUg/YbTVYqsC67u5P2sMsNsFoUJQz4LrsNEODwczmrjVrqMITISCRUfKkWto
sdlzONJ/zCJsWa6hArr4l7WbqI6H4RyfRMaJLEuQjBOpE7NQgRLQIRWj9oc4iNor
xM32HOttgrSDX+xvp4x5uVVfsFKIT8Rn09K0YTpzdX9XFuitN25tC0psRvu19y8X
3g7lmFamiQbuJN5ERQ8RbuVL4Cx8bK5ensEQSgJtWxkGBDMPx3H9oLBil/bAWqR1
au8zxRkval/MNaewc7xMvETldFtdyk2smv9gV76LauuGXFMnBDDVAsN5po0rX05S
bCyNbIvVM2+MQUawCVf5aDpzs6gsE3WB4QyTA8YlFixavgfY31pLWku8x3PVQKfZ
lOYFB+tYU+8DlWp2/7Dz
=fhQv
-----END PGP SIGNATURE-----

Attachment: 0xB5B41FAA.asc
Description: application/pgp-keys

Attachment: 0xB5B41FAA.asc.sig
Description: PGP signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to