hi, On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Thu, 17 Mar 2016, Natxo Asenjo wrote: > >> hi, >> >> see subject. For user accounts it's possible (even multivalued), >> >> Adding it using an ldap client gives me error 65 (attribute 65 not >> allowed). >> > In order to add *any* attribute to *any* LDAP entry you need two > conditions to be satisfied: > > 1. LDAP entry in question should have object class that allows this > attribute > 2. Authenticated user should have ACI that allows to add this attribute > to this entry > > 'Attribute not allowed' means condition (1) is not satisfied. FreeIPA > LDAP server has three object classes by default that allow you to add mail > attribute to an entry: > -- inetOrgPerson > -- mailRecipient > -- mailGroup > > I'd say that if you want to associate mail with a group, mailGroup > would be a better object class to use. It is an auxiliary object class, > meaning it only adds some attributes to an entry and there should exist > more fundamental classes (we have them for group already). > > As for (2), admins should have enough rights to modify 'mail' attribute > and 'objectclass' attribute on group entries > thanks for your explanation. I have added the mailGroup objectclass to the default group objectclasses group options in 'configurarion' and now I can add the entry. This post helped too: https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html Thanks! -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
