On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
> Hello,
>
> iam very happy that i got nextcloud connected to freeipa over ldap. It
> seems to work nearly perfect now, the only thing i wont get worked is to
> pull the mail from freeipa and add it to nextcloud.
>
> I tried to use the field mail but that seem to be empty.
>
> My configuration is nearly the same as here
>
http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
What this blog is lacking is how to grant read access to the users for
this system LDAP account (assuming freeIPA 4+). What did you do to grant
that?
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a
twist. We've been through this on IRC some
time ago -- authenticated users can read a bunch of an address book
attributes only if a query filter specifies (objectclass=posixaccount):
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber ||
destinationindicator || employeenumber || employeetype || facsimiletelephonenumber ||
homephone || homepostaladdress || inetuserhttpurl || inetuserstatus ||
internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail ||
mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress ||
postalcode || postofficebox || preferreddeliverymethod || preferredlanguage ||
registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber
|| teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate ||
x121address || x500uniqueidentifier")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Addressbook Attributes";allow (compare,read,search) userdn =
"ldap:///all";)
If a query filter has no (objectclass=posixaccount), it does not get
these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
--
/ Alexander Bokovoy