Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
Pls help me:)
thank u all
Jens Laufer via FreeIPA-users wrote:
Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
What this blog is lacking is how to grant read access to the users for this system LDAP account (assuming freeIPA 4+). What did you do to grant that?
I wonder if it simply can't read the mail attribute.
rob
On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
What this blog is lacking is how to grant read access to the users for this system LDAP account (assuming freeIPA 4+). What did you do to grant that?
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a twist. We've been through this on IRC some time ago -- authenticated users can read a bunch of an address book attributes only if a query filter specifies (objectclass=posixaccount):
dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
If a query filter has no (objectclass=posixaccount), it does not get these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
# ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 <blank line> ^D
That is how I created the user, it is from the doc of freeipa - the user is just named a bit differently (system2)
sent from my mobile
Am 22.06.2017 9:56 nachm. schrieb "Alexander Bokovoy via FreeIPA-users" < freeipa-users@lists.fedorahosted.org>:
On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here http://poorlydocumented.com/2017/02/integrating-nextcloud-11 -with-freeipa-4/
What this blog is lacking is how to grant read access to the users for this system LDAP account (assuming freeIPA 4+). What did you do to grant that?
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a twist. We've been through this on IRC some time ago -- authenticated users can read a bunch of an address book attributes only if a query filter specifies (objectclass=posixaccount):
dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
If a query filter has no (objectclass=posixaccount), it does not get these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
-- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
so i tried it out with another bin user, that i created with cn=users,cn=accounts, instead of cn=sysaccounts,cn=etc
and it works, he pulls the mails from the accounts
but i dont think that is the best way to do it or? isnt that kind of an security issue?
j.
freeipa-users@lists.fedorahosted.org