Thank you Alexander, I will look into ACI's.
I've not really needed sssd on this node just connecting directly over ldap on a private lan but I can see where your coming from. Thank you again will post if successful :) 17 Aug 2022 18:50:17 Alexander Bokovoy via FreeIPA-users <[email protected]>: > On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote: >> Hi Alexander, >> >> That is my current setup issue is we have sister companies that have >> different staff but on the same ipa server and for GDPR they shouldn't >> have access to each others odoo instance and the query filter is all >> too easy to edit. >> >> That's why I'm looking for a server side solution to reinforce the odoo >> solution > > You may read through ACI plugin documentation for RHDS. It is possible > to design ACIs that apply to a specific LDAP bind DN but you need to > design it with possible attacker's LDAP filters in mind. An issue I'd > see is that if they are able to modify LDAP filter settings, why they > couldn't change LDAP bind DN as well to something they own. Then your > ACIs would not apply anymore. > > Changing default ACIs is more of an issue that would break other > systems. SSSD uses a host principal to bind so theoretically access by > hosts could be confined to LDAP bind DNs that use host principal DNs and > deny everyone else default access. But this is something you'd need to > investigate yourself on a test instance. We never really looked at that > because in POSIX environments identity information is public on the host > to every application (e.g. 'id username' would not need any specific > per-user auth once you are logged in). > >> >> 17 Aug 2022 18:04:02 Alexander Bokovoy via FreeIPA-users >> <[email protected]>: >> >>> On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote: >>>> Hi everyone, >>>> >>>> I am wandering if there is a way to restrict a user that is purely for >>>> binding an external application to only be able to search within a group >>>> but enforced at the ipa server level. >>>> >>>> For example, we use Odoo ERP it has an LDAP module which we want to be >>>> able to restrict the users that login to the group lets call it >>>> "odoo-users" for example. >>>> >>>> Now if I bind to a normal user or heavens forbid the admin user it could >>>> potentially source users that I don't want to have access. Odoo does allow >>>> query filters like most LDAP implementations but it would be too easy for >>>> someone to change the query filter for my liking. >>>> >>>> I looked at permissions and feel this may be the way to go but from what i >>>> can see the documentation is abandoned in favor of the RHEL handbook. (We >>>> use Fedora 36 on VPS's). >>>> >>>> Does anyone have any pointers on how I can securely implement this on the >>>> server side to ensure that anyone else can't override the users available >>>> on the external application? >>> >>> Are you just wanting to limit access to that external application to >>> users from a specific group? Typically, these kinds of applications have >>> two different LDAP queries: >>> >>> - first, LDAP bind to verify that the user is able to authenticate >>> - second, LDAP query to find a user is a part of a specific group >>> >>> Judging by whatever my search engine returned first[1], you can set LDAP >>> filter to >>> >>> >>> (&(objectclass=posixaccount)(uid=%s)(memberof=cn=odoo-users,cn=groups,cn=accounts,dc=example,dc=com)) >>> >>> and use an LDAP base of cn=users,cn=accounts,dc=example,dc=com >>> >>> Replace dc=example,dc=com by your specific base (`ipa env basedn`). >>> >>> The filter ensures that whatever user is provided, it has their entry's >>> 'uid' attribute set to the value provided by Odoo as a username, it is a >>> user account and this user account is a member of odoo-users group. >>> >>> You can use other attributes too. See `ipa user-show --all --raw username` >>> for all attributes available for the user `username`. >>> >>> [1] https://www.cybrosys.com/blog/how-to-configure-openldap-in-odoo >>> >>> >>> -- >>> / Alexander Bokovoy >>> Sr. Principal Software Engineer >>> Security / Identity Management Engineering >>> Red Hat Limited, Finland >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
