[Freeipa-users] Restricting other User's Details to be visible to a user
Rob Crittenden
rcritten at redhat.com
Wed Feb 13 14:38:11 UTC 2013
Rajnesh Kumar Siwal wrote:
> Yes. We would still like to restrict the Visibility of the users.
> We could implement the ACL's in 389-ds. However, I was concerned
> whether it breaks the IPA.
>
To disable anonymous you need to set nsslapd-allow-anonymous-access to
off in cn=config (bind as Directory Manager). Note that this needs to be
done on every IPA master (and you need to remember to do this if you add
any more).
To disallow restrict read access to a set of attributes you'd need to
write a custom ACI, something that is beyond the ability of our
permission commands.
If you're considering just some attributes in the user object then it
should be fine. Those fields will just appear as blank to users that
cannot read them. Hard to say if it would break anything without seeing
the ACI.
rob
More information about the Freeipa-users
mailing list