[Freeipa-users] is it possible to add a value to the group 'mail' attrirbute?
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 18 05:14:14 UTC 2016
On Thu, 17 Mar 2016, Natxo Asenjo wrote:
>hi,
>
>see subject. For user accounts it's possible (even multivalued),
>
>Adding it using an ldap client gives me error 65 (attribute 65 not allowed).
In order to add *any* attribute to *any* LDAP entry you need two
conditions to be satisfied:
1. LDAP entry in question should have object class that allows this
attribute
2. Authenticated user should have ACI that allows to add this attribute
to this entry
'Attribute not allowed' means condition (1) is not satisfied. FreeIPA
LDAP server has three object classes by default that allow you to add mail
attribute to an entry:
-- inetOrgPerson
-- mailRecipient
-- mailGroup
I'd say that if you want to associate mail with a group, mailGroup
would be a better object class to use. It is an auxiliary object class,
meaning it only adds some attributes to an entry and there should exist
more fundamental classes (we have them for group already).
As for (2), admins should have enough rights to modify 'mail' attribute
and 'objectclass' attribute on group entries.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list