[Freeipa-users] Restrict user access

[Dmitri Pal]

On 11/05/2012 05:57 PM, Marcello Giannoni UCLA wrote:
> Hi,
>
> 	I defined some users that are not members of the ipausers group, for some reason this users are able to login to the server using the ipa client tools and the web interface https://myipaserver/ipa/ui 
> 	I don't want any users look at other users information, is there a way to deny access to the ipa client tools and Web UI to his non ipausers?
> 	
> 	Thank you
> 	Marcello
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

What do you mean access? You mean read or modify?
In general the LDAP is usually open for read for anyone. In the past it
was open even to anonymous i.e unauthenticated user. In recent years the
requirement to expose LDAP to only authenticated users have become
popular (and that is what IPA supports) but not to the extent of
limiting what one can read once authenticated. By default all the
readable attributes are readable to everybody.
So before moving forward please make sure that you realize that most of
the software that uses LDAP as a central repository expects at least
read only access after authenticated bind.

Now the solution. You need to explore the privileges and permissions and
define those to prevent access to the specific attributes. The things
that you are trying to do might be so advanced that it might require you
to get under the hood and work directly with DS ACIs rather than with
the IPA commands.

Are you trying to close read access to specific private attributes in
the user entry?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/