<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/12/2013 08:17 PM, Chandan Kumar wrote:
<blockquote
cite="mid:CAD=CKMB4MCnAQP90cOdQwY8pqoM0WBPi=4jzxiBO7T13--THRA@mail.gmail.com"
type="cite">
<div><br>
</div>
Thanks for the response.
<div><br>
</div>
<div>The way we can turn off the anonymous bind in 389 Server.
using "nsslapd-allow-anonymous-access: off".</div>
<div><br>
</div>
<div>Is there any way to limit the read access of user to only to
the DNS entries? In that way I can create a user who could/will
be able to see/edit DNS entries only.</div>
</blockquote>
<br>
In general yes though it is not standard because as I mentioned
earlier the tree is assumed to be readable to an authenticated user.<br>
When user logs in the framework the UI or CLI will log into LDAP as
a user and try to do operations. It will need to read user entry and
groups and other things so closing read access to everything other
than DNS would not work. You can close access to some of the objects
but not to all of them. <br>
It still unclear what is the harm in ability to read other parts of
the tree but not modify them.<br>
<br>
To change the permissions you would have to user LDAP level ACI
commands as we do not expose these capabilities via CLI or UI but be
careful as I mentioned above you might end up hiding something that
would prevent framework from functioning properly.<br>
<br>
<blockquote
cite="mid:CAD=CKMB4MCnAQP90cOdQwY8pqoM0WBPi=4jzxiBO7T13--THRA@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>Thanks,</div>
<div>Chandan<br>
<div><br>
On Friday, April 12, 2013, Dmitri Pal wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On
04/12/2013 02:23 AM, Martin Kosek wrote:<br>
> On 04/12/2013 01:07 AM, Chandan Kumar wrote:<br>
>> Hello,<br>
>><br>
>> I have a question regarding Uer Roles and Access in
GUI. What I have found that<br>
>> irrespective of Role assigned to a user, he gets
read only access across the<br>
>> directory.<br>
>><br>
>> For example, I created one user say "dnsadmin" with
only Roles related to DNS<br>
>> such as DNS Servers, DNS Administrator. Now that
user has read only access to<br>
>> entire directory. Is there any way of controlling
it?<br>
>><br>
>><br>
>> Thanks,<br>
>> Chandan<br>
>><br>
> Hello Chandan,<br>
><br>
> If you create a new role, assign "DNS Administrators"
privilege to it, and<br>
> assign that role to user dnsadmin, that user will have
write access to DNS tree<br>
> and configuration.<br>
><br>
> Beyond that tree, dnsadmin will have read-only access
just like all other<br>
> non-admin users. If you want dnsadmin to have write
access also to other<br>
> entries, you would need to assign more privileges/roles
to it.<br>
><br>
> HTH,<br>
> Martin<br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true" href="javascript:;"
onclick="_e(event, 'cvml', 'Freeipa-users@redhat.com')">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
If you are worried about the read access the LDAP data is
traditionally<br>
readable by any authenticated user.<br>
In the past is was even possible to read the tree as
anonymous user<br>
which is a bad security practice and not recommended.<br>
<br>
<br>
--<br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/"
target="_blank">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true" href="javascript:;"
onclick="_e(event, 'cvml', 'Freeipa-users@redhat.com')">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
</div>
<br>
<br>
-- <br>
<br>
<div>--</div>
<div><a moz-do-not-send="true" href="http://about.me/chandank"
target="_blank">http://about.me/chandank</a><br>
</div>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>