6:34 a.m.
Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It
seems to work nearly perfect now, the only thing i wont get worked is to
pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here
http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
Pls help me:)
thank u all
2:41 p.m.
Jens Laufer via FreeIPA-users wrote:
Hello,
iam very happy that i got nextcloud connected to freeipa over ldap. It
seems to work nearly perfect now, the only thing i wont get worked is to
pull the mail from freeipa and add it to nextcloud.
I tried to use the field mail but that seem to be empty.
My configuration is nearly the same as here
http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
What this blog is lacking is how to grant read access to the users for
this system LDAP account (assuming freeIPA 4+). What did you do to grant
that?
I wonder if it simply can't read the mail attribute.
rob
2:55 p.m.
On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jens Laufer via FreeIPA-users wrote:
> Hello,
>
> iam very happy that i got nextcloud connected to freeipa over ldap. It
> seems to work nearly perfect now, the only thing i wont get worked is to
> pull the mail from freeipa and add it to nextcloud.
>
> I tried to use the field mail but that seem to be empty.
>
> My configuration is nearly the same as here
> http://poorlydocumented.com/2017/02/integrating-nextcloud-11-with-freeipa-4/
What this blog is lacking is how to grant read access to the users for
this system LDAP account (assuming freeIPA 4+). What did you do to grant
that?
I wonder if it simply can't read the mail attribute.
Yes, it cannot but with a
twist. We've been through this on IRC some
time ago -- authenticated users can read a bunch of an address book
attributes only if a query filter specifies (objectclass=posixaccount):
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber ||
destinationindicator || employeenumber || employeetype || facsimiletelephonenumber ||
homephone || homepostaladdress || inetuserhttpurl || inetuserstatus ||
internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail ||
mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress ||
postalcode || postofficebox || preferreddeliverymethod || preferredlanguage ||
registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber
|| teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate ||
x121address || x500uniqueidentifier")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Addressbook Attributes";allow (compare,read,search) userdn =
"ldap:///all";)
If a query filter has no (objectclass=posixaccount), it does not get
these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
--
/ Alexander Bokovoy
3:33 p.m.
# ldapmodify -x -D 'cn=Directory Manager' -W dn:
uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add
objectclass: account objectclass: simplesecurityobject uid: system
userPassword: secret123 passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0 <blank line> ^D
That is how I created the user, it is from the doc of freeipa - the user is
just named a bit differently (system2)
sent from my mobile
Am 22.06.2017 9:56 nachm. schrieb "Alexander Bokovoy via FreeIPA-users" <
freeipa-users(a)lists.fedorahosted.org>:
On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
> Jens Laufer via FreeIPA-users wrote:
>
>> Hello,
>>
>> iam very happy that i got nextcloud connected to freeipa over ldap. It
>> seems to work nearly perfect now, the only thing i wont get worked is to
>> pull the mail from freeipa and add it to nextcloud.
>>
>> I tried to use the field mail but that seem to be empty.
>>
>> My configuration is nearly the same as here
>> http://poorlydocumented.com/2017/02/integrating-nextcloud-11
>> -with-freeipa-4/
>>
>
> What this blog is lacking is how to grant read access to the users for
> this system LDAP account (assuming freeIPA 4+). What did you do to grant
> that?
>
> I wonder if it simply can't read the mail attribute.
>
Yes, it cannot but with a twist. We've been through this on IRC some
time ago -- authenticated users can read a bunch of an address book
attributes only if a query filter specifies (objectclass=posixaccount):
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense ||
departmentnumber || destinationindicator || employeenumber || employeetype
|| facsimiletelephonenumber || homephone || homepostaladdress ||
inetuserhttpurl || inetuserstatus || internationalisdnnumber ||
ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o || ou
|| pager || photo || physicaldeliveryofficename || postaladdress ||
postalcode || postofficebox || preferreddeliverymethod || preferredlanguage
|| registeredaddress || roomnumber || secretary || seealso || st || street
|| telephonenumber || teletexterminalidentifier || telexnumber ||
usercertificate || usersmimecertificate || x121address ||
x500uniqueidentifier")(targetfilter =
"(objectclass=posixaccount)")(version
3.0;acl "permission:System: Read User Addressbook Attributes";allow
(compare,read,search) userdn = "ldap:///all";)
If a query filter has no (objectclass=posixaccount), it does not get
these rights granted, so no access to any of the attributes on the list.
I wonder if targetfilter limitation is useful here.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
4:24 a.m.
so i tried it out with another bin user,
that i created with cn=users,cn=accounts, instead of cn=sysaccounts,cn=etc
and it works, he pulls the mails from the accounts
but i dont think that is the best way to do it or? isnt that kind of an security issue?
j.
2489
days inactive
2493
days old
freeipa-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Jens Laufer -
Rob Crittenden -
Tobi Berninger