Hi We're trying to set up the Thunderbird address book to get user data from FreeIPA LDAP service, but we cannot get the email address of the users, we've tried with Base DN string :
cn=users,cn=accounts,dc=xxxxxx,dc=yyy , but the only field we were able to get is the username and the role in the organization .
Is there some way to get all user data ?
Thanks in advance
Regards
Antonello
Hi,
On Wed, Jul 10, 2024 at 9:02 AM Antonello Ledda via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi We're trying to set up the Thunderbird address book to get user data from FreeIPA LDAP service, but we cannot get the email address of the users, we've tried with Base DN string :
cn=users,cn=accounts,dc=xxxxxx,dc=yyy , but the only field we were able to get is the username and the role in the organization .
Is there some way to get all user data ?
The email is usually stored in the "mail" attribute, which by default is readable by any authenticated user. Are your searches performed anonymously or after a bind (did you specify any bind DN in the thunderbird configuration)?
flo
Thanks in advance
Regards
Antonello
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Flo
At the moment, we are querying the LDAP service anonymously , the "Bind DN" box is empty
Anto
Anto Nello via FreeIPA-users wrote:
Hi Flo
At the moment, we are querying the LDAP service anonymously , the "Bind DN" box is empty
Anto
As Flo said, the mail attribute is not visible to anonymous binds.
You can see what is available using ldapsearch:
$ ldapsearch -LLL -x -b cn=users,cn=accounts,dc=example,dc=test
It is basically limited to what is available via POSIX.
rob
Hi Rob
Thanks, i suspected this.
So i need to bind to LDAP service, i tried with a user name but it asks me for password and fails. any hints for a valid bind DN string ?
Thanks in advance
Anto
Anto Nello via FreeIPA-users wrote:
Hi Rob
Thanks, i suspected this.
So i need to bind to LDAP service, i tried with a user name but it asks me for password and fails. any hints for a valid bind DN string ?
Thanks in advance
Anto
You need to use a full DN. Something like: uid=deranged69,cn=users,cn=accounts,dc=example,dc=test
Or you can allow the mail attribute to be read without authentication.
By default IPA tries to severely restrict what can be read anonymously for security reasons. With mail for example, someone could harvest every e-mail address in your organization. Probably not ideal.
But if you determine this is ok you can extend an existing permission by adding the mail attribute like:
ipa permission-mod --attrs={cn,createtimestamp,description,displayname,entryusn,gecos,gidnumber,givenname,homedirectory,initials,ipantsecurityidentifier,loginshell,manager,modifytimestamp,objectclass,sn,title,uid,uidnumber,mail} 'System: Read User Standard Attributes'
Then you wouldn't need to bind in Thunderbird.
You'd have to balance security vs convenience here. The Thunderbird setup is a one-time thing that is pretty easily documented using screen shots.
rob
Hi Rob
Thanks for your exhaustive response. In fact I've done exactly what you wrote, my doubt was on first parameter name ( 'uid' is the right one ), keeping it secured, I've to digit my password to unlock queries to IPA LDAP , and all works like a charm .
Thanks
Best Regards
Anto
freeipa-users@lists.fedorahosted.org