On Thu, 17 Mar 2016, Natxo Asenjo wrote:

see subject. For user accounts it's possible (even multivalued),

Adding it using an ldap client gives me error 65 (attribute 65 not allowed).
In order to add *any* attribute to *any* LDAP entry you need two
conditions to be satisfied:

1. LDAP entry in question should have object class that allows this
2. Authenticated user should have ACI that allows to add this attribute
   to this entry

'Attribute not allowed' means condition (1) is not satisfied. FreeIPA
LDAP server has three object classes by default that allow you to add mail
attribute to an entry:
 -- inetOrgPerson
 -- mailRecipient
 -- mailGroup

I'd say that if you want to associate mail with a group, mailGroup
would be a better object class to use. It is an auxiliary object class,
meaning it only adds some attributes to an entry and there should exist
more fundamental classes (we have them for group already).

As for (2), admins should have enough rights to modify 'mail' attribute
and 'objectclass' attribute on group entries.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to