On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <aboko...@redhat.com>

> On Thu, 17 Mar 2016, Natxo Asenjo wrote:
>> hi,
>> see subject. For user accounts it's possible (even multivalued),
>> Adding it using an ldap client gives me error 65 (attribute 65 not
>> allowed).
> In order to add *any* attribute to *any* LDAP entry you need two
> conditions to be satisfied:
> 1. LDAP entry in question should have object class that allows this
>    attribute
> 2. Authenticated user should have ACI that allows to add this attribute
>    to this entry
> 'Attribute not allowed' means condition (1) is not satisfied. FreeIPA
> LDAP server has three object classes by default that allow you to add mail
> attribute to an entry:
>  -- inetOrgPerson
>  -- mailRecipient
>  -- mailGroup
> I'd say that if you want to associate mail with a group, mailGroup
> would be a better object class to use. It is an auxiliary object class,
> meaning it only adds some attributes to an entry and there should exist
> more fundamental classes (we have them for group already).
> As for (2), admins should have enough rights to modify 'mail' attribute
> and 'objectclass' attribute on group entries

thanks for your explanation. I have added the mailGroup objectclass to the
default group objectclasses group options in 'configurarion' and now I can
add the entry. This post helped too:


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to