On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
> iam very happy that i got nextcloud connected to freeipa over ldap. It
> seems to work nearly perfect now, the only thing i wont get worked is to
> pull the mail from freeipa and add it to nextcloud.
> I tried to use the field mail but that seem to be empty.
> My configuration is nearly the same as here
What this blog is lacking is how to grant read access to the users for
this system LDAP account (assuming freeIPA 4+). What did you do to grant
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a
twist. We've been through this on IRC some
time ago -- authenticated users can read a bunch of an address book
attributes only if a query filter specifies (objectclass=posixaccount):
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber ||
destinationindicator || employeenumber || employeetype || facsimiletelephonenumber ||
homephone || homepostaladdress || inetuserhttpurl || inetuserstatus ||
internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail ||
mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress ||
postalcode || postofficebox || preferreddeliverymethod || preferredlanguage ||
registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber
|| teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate ||
x121address || x500uniqueidentifier")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Addressbook Attributes";allow (compare,read,search) userdn =
If a query filter has no (objectclass=posixaccount), it does not get
these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
/ Alexander Bokovoy