[Freeipa-users] is it possible to add a value to the group 'mail' attrirbute?
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Mar 18 06:32:25 UTC 2016
hi,
On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Thu, 17 Mar 2016, Natxo Asenjo wrote:
>
>> hi,
>>
>> see subject. For user accounts it's possible (even multivalued),
>>
>> Adding it using an ldap client gives me error 65 (attribute 65 not
>> allowed).
>>
> In order to add *any* attribute to *any* LDAP entry you need two
> conditions to be satisfied:
>
> 1. LDAP entry in question should have object class that allows this
> attribute
> 2. Authenticated user should have ACI that allows to add this attribute
> to this entry
>
> 'Attribute not allowed' means condition (1) is not satisfied. FreeIPA
> LDAP server has three object classes by default that allow you to add mail
> attribute to an entry:
> -- inetOrgPerson
> -- mailRecipient
> -- mailGroup
>
> I'd say that if you want to associate mail with a group, mailGroup
> would be a better object class to use. It is an auxiliary object class,
> meaning it only adds some attributes to an entry and there should exist
> more fundamental classes (we have them for group already).
>
> As for (2), admins should have enough rights to modify 'mail' attribute
> and 'objectclass' attribute on group entries
>
thanks for your explanation. I have added the mailGroup objectclass to the
default group objectclasses group options in 'configurarion' and now I can
add the entry. This post helped too:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html
Thanks!
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160318/0d7d48ec/attachment.htm>
More information about the Freeipa-users
mailing list