I have added some new custom attributes to my FreeIPA and so far I was using the admin account to check them in the WebUI.
But today I accessed the WebUI using a regular user account and I was surprised to see that the new attributes are not visible. when I used "inspect elements" to view the page code I found the attribute's code as this:
<dev class="widget text-widget" name="bloodtype" style="display: none;">...</dev>
note that the attribute is still visible for the admin.
attribute schema:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.32473.1.1.591
NAME 'bloodtype'
DESC 'Employee Blood type'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'Oracle Unified Directory Server'
USAGE userApplications )
Object class:
objectclasses: ( 2.16.840.1.113730.3.8.61.11 NAME 'customPerson' SUP person STRUCTURAL MAY bloodtype X-ORIGIN ( 'Extending FreeIPA' 'user defined' ) )
python plugin:
from ipalib.plugins import user
from ipalib.parameters import Str
from ipalib import _
def validate(ugettext,value):
if value not in ['A','B','AB','O']:
return _("Blood type must be either A, B, AB or O.")
user.user.takes_params = user.user.takes_params + (
Str('bloodtype?',validate,
cli_name='bloodtype',
label=_('Blood Type'),
),
)
user.user.default_attributes.append('bloodtype')
javascript plugin:
define([
'freeipa/phases',
'freeipa/user'],
function(phases, user_mod) {
// helper function
function get_item(array, attr, value) {
for (var i=0,l=array.length; i<l; i++) {
if (array[i][attr] === value) return array[i];
}
return null;
}
var plugin = {};
plugin.add_fields = function() {
var facet = get_item(user_mod.entity_spec.facets, '$type', 'details');
var section = get_item(facet.sections, 'name', 'identity');
section.fields.push({
$type:'radio',
options:[{label:'A',value:'A'},{label:'B',value:'B'},{label:'AB',value:'AB'},{label:'O',value:'O'}],
label:'Blood type',
name:'bloodtype'
});
return true;
};
phases.on('customization', plugin.add_fields);
return plugin;
});
What is the problem and how can I allow all users to view it?
Best Answer
you must add the new attribute to ACI.
You can modify ACI in cn=users,cn=accounts,dn=example,=dn=com directly
or you can add new attribute into 'managed_permissions' in the user class, for permission you want to allow to access them. You need to run ipa-ldap-updater --upgrade after that.
or you can create a new ACI permission and add it to existing privileges.