Rajnesh Kumar Siwal wrote:
Yes. We would still like to restrict the Visibility of the users. We could implement the ACL's in 389-ds. However, I was concerned whether it breaks the IPA.
To disable anonymous you need to set nsslapd-allow-anonymous-access to off in cn=config (bind as Directory Manager). Note that this needs to be done on every IPA master (and you need to remember to do this if you add any more).
To disallow restrict read access to a set of attributes you'd need to write a custom ACI, something that is beyond the ability of our permission commands.
If you're considering just some attributes in the user object then it should be fine. Those fields will just appear as blank to users that cannot read them. Hard to say if it would break anything without seeing the ACI.
rob _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users