On 10/29/2015 12:06 AM, craig.li...@mypenguin.net.au wrote:
Thanks it worked!
For those also intersted in the settings;

Permission: ldap_anonymous
Bind Type Rule: anonymous
Granted Rights: (I used) "read","search","compare"
Subtree: cn=users,cn=accounts,dc=example,dc=com
Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
Effective Attributes:
gecos, mail, mobile, telephoneNumber, uidNumber



This works. However, the "right way" here would be changing Bind Type Rule of default permission "System: Read User Addressbook Attributes" from "all" (default to new installation of FreeIPA 4.0) to "anonymous". This is the permission that holds extended attributes like this one:

# ipa permission-show 'System: Read User Addressbook Attributes'
  Permission name: System: Read User Addressbook Attributes
  Granted rights: read, compare, search
Effective attributes: audio, businesscategory, carlicense, departmentnumber, destinationindicator, employeenumber, employeetype, facsimiletelephonenumber, homephone, homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber, jpegphoto, l, labeleduri, mail, mobile, o, ou, pager, photo, physicaldeliveryofficename, postaladdress, postalcode, postofficebox, preferreddeliverymethod, preferredlanguage, registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber, teletexterminalidentifier, telexnumber, usercertificate, usersmimecertificate, x121address, x500uniqueidentifier Default attributes: postofficebox, registeredaddress, jpegphoto, physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode, street, x121address, st, telephonenumber, facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail, internationalisdnnumber, seealso, x500uniqueidentifier, employeetype, businesscategory, preferredlanguage, preferreddeliverymethod, roomnumber, carlicense, telexnumber, postaladdress, pager, destinationindicator, departmentnumber, mobile, inetuserhttpurl, l, o, inetuserstatus, employeenumber, usersmimecertificate, ou, audio, homephone, secretary
  Bind rule type: all
  Subtree: cn=users,cn=accounts,dc=rhel72
  Type: user

This approach will help you avoid extra read permission and keep your permission updated by FreeIPA updated, if needed (when new addressbook attribute is added for example).

On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
    ​Refer this doc
    On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com>

      Making attributes anonymously readable is very simple. You need to look
      into RBAC and define the permissions/privileges you need.
      On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote:


        We have recently updated from IPA 3 to IPA 4.1 and one of the changes
        security is what attributes are available for the anonymous LDAP

        Does anyone know how to edit the anonymous LDAP settings so
        that the following are available?

        mail: [4]cr...@example.com
        postalCode: 3000
        street: 1 Home Parade
        mobile: 0000-000-000
        telephoneNumber: 03-0000-0000

        Note: We have many different types of LDAP clients here and even
        using encrypted BIND's did work from ldapsearch queries, I couldn't
        them to consistently work from our email clients.


        Manage your subscription for the Freeipa-users mailing list:
        Go to [6]http://freeipa.org for more info on the project


    Visible links
    2. mailto:prash...@apigee.com
    3. mailto:craig.li...@mypenguin.net.au
    4. mailto:cr...@example.com
    5. https://www.redhat.com/mailman/listinfo/freeipa-users
    6. http://freeipa.org/

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to