Dmitri Pal wrote:
On 04/12/2013 08:17 PM, Chandan Kumar wrote:

Thanks for the response.

The way we can turn off the anonymous bind in 389 Server. using
 "nsslapd-allow-anonymous-access: off".

Is there any way to limit the read access of user to only to the DNS
entries? In that way I can create a user who could/will be able to
see/edit DNS entries only.

In general yes though it is not standard because as I mentioned earlier
the tree is assumed to be readable to an authenticated user.
When user logs in the framework the UI or CLI will log into LDAP as a
user and try to do operations. It will need to read user entry and
groups and other things so closing read access to everything other than
DNS would not work. You can close access to some of the objects but not
to all of them.
It still unclear what is the harm in ability to read other parts of the
tree but not modify them.

To change the permissions you would have to user LDAP level ACI commands
as we do not expose these capabilities via CLI or UI but be careful as I
mentioned above you might end up hiding something that would prevent
framework from functioning properly.

There is no easy way to do this. We start with granting all authenticated users read access to the tree with the exception of certain attributes (like passwords).

You'd have to start by removing that, then one by one granting read access to the various containers based on, well, something.

It would be very prone to error, with probably lots of corner cases and overlap.

Do you really want to deny read access or do you want to simplify the the UI to include only certain tabs/functions?


Freeipa-users mailing list

Reply via email to