[Freeipa-users] Limiting group/user visibility

[Stephen Ingram]

Lassi

On Wed, Nov 30, 2011 at 3:18 AM, Lassi Pölönen <lassi.polonen at iki.fi> wrote:
> I'm looking for implementing FreeIPA in an environment where there are
> multiple customers in multiple organizations and a single organization
> that manages the users, sets the access rights etc.
>
> We don't have a centralized system currently so I will be starting from
> the scratch in that sense. The first concern I've had so far is that we
> don't want different customers to be able to find information about each
> other. Currently in my test setup any user can find out every user in a
> group if they know the group name and all the groups for each user if
> they know the username. In some cases this might reveal information the
> customer is not willing to share.
>
> So are there ways to limit that e.g certain hosts/hostgroups or
> users/usergroups see some defined subset of the directory? Or are there
> some other suggested approaches? As the current setup relies on local
> authentication, users naturally are able to find users/groups only on
> servers they are able to log in and that is the level of confidentiality
> we are looking for if possible

I asked a similar question earlier
(https://www.redhat.com/archives/freeipa-users/2011-September/msg00197.html).
As Adam says, since the directory allows visibility of all users, it
is a logical step to allow a similar view in the UI.

I suspect that you would have to adjust the ACIs in your directory
such that users could only see users in their own group. However, this
might cause issues with other processes which expect to see users
without any restrictions. I haven't had the chance to prove or
disprove this yet.

Steve