[Freeipa-users] user login exposes all users in UI
Adam Young
ayoung at redhat.com
Thu Sep 29 00:58:16 UTC 2011
On 09/28/2011 01:13 PM, Stephen Ingram wrote:
> When logging into the FreeIPA UI as a user, most everything is removed
> with the exception of the Identity tab and the Users list. Although
> I'm guessing that LDAP needs to expose the users list to all users
> just as anyone can view the passwd file on any one system, is there a
> technical need to expose all of the users to any user logging into the
> UI?
>
> Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
The UI does not remove any privs. That same user can run the command
line ipa user-find and get the same results. Additionally, the user
has the ability to query the LDAP server directly. Thus, we decided to
leave the ability to enumerate all users, but not to advertise it. We
did remove tabs for other things that the user can do, mainly because
some of them pointed at operations that the user was not allowed to see
(Roles, for example, and Sudo commands for another). We had to draw the
line somewhere, and that is where we decided. It has the added benefit
of letting IPA work as a company directory.
More information about the Freeipa-users
mailing list