On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote:
On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote:
memberof and ipaSSHPubKey attributes are only allowed to be read,
searched and compared by authenticated LDAP connections. If your
connection is anonymous, you have no access to those attributes.
The configuration below does not seem to use *any* authentication, not
just Kerberos.
How can I receive that information from my personal laptop which is not
authenticated? Is it a setting on IPA servers?
You have to use some identity to bind to LDAP. For example, use your own
user account.
$ ldapsearch -x -H ldap://new.ipa1 \
-D uid=finn,cn=users,cn=accounts,dc=example,dc=com -W \
-b cn=users,cn=accounts,dc=example,dc=com \
'(uid=finn)' memberOf ipasshpubkey
-D option to ldapsearch is providing LDAP DN to bind to
-W option to ldapsearch is saying 'ask for a password'
Instances:
New.IPA1
New.IPA2
Old.IPA
Test.server:
Receives desired information from OLD IPA server
Can't receive desired information from NEW IPA servers
My Personal Laptop:
Receives desired information from OLD IPA server
Can't receive desired information from NEW IPA servers
Perhaps somebody did set up relaxed access controls on your old IPA
servers? It is certainly not what we aim for, especially these days.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
