Re: [Freeipa-users] Users directory Browsing -
A really good point however I'm fortunate enough that the only items authentication are applications. I agree with you also that it's a bit of a Pandoras box; I've decided that it's best to leave the systems in default state and use a tool like PWM for this self service component. On Wed, Mar 9, 2016 at 12:37 AM Petr Spacekwrote: > On 8.3.2016 15:29, Matt Wells wrote: > > For my use case it is. Essentially the system will be application auth > for > > separate groups that have no need to know of one another, almost a > > multi-tenant mode. I wanted to expose a 'self service' url. I've found > a > > community ipa portal for password resets and perhaps that with slight > > changes can resolve this. I understand why it's that way but had hoped > to > > be able to apply a bit more of an ACI; I've been able to ratchet the > > accounts down to just this one item thus far by restricting access to > > attributes. I appreciate the response and if / when I find a solution > I'll > > post it for anyone else that would require it. > > Be sure you fully think though your use cases and understand the > implications. > > E.g. if the LDAP is used by unix clients, locking it down to one user or > group > may prevent clients from translating UIDs to names and vice-versa, prevent > resolving group membership etc. That would certainly break things. > > In this case you might want to craft ACI which exposes POSIX attributes > only > and nothing else or so. > > Again, think about it :-) > > Petr^2 Spacek > > > On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat > wrote: > > > >> A user will be able to list all other users and be able to read their > >> attributes. But will not be able to change anything. > >> > >> Is that an issue ? I mean on a Linux box you can read /etc/passwd file > >> which has info about all users on that box. This doesn't cause issues. > >> > >> On 8 March 2016 at 03:03, Matt Wells wrote: > >> > >>> Hi all, I had a quick question. I swear I had this before but that > could > >>> be the voices telling me it's true > >>> A normal user is logging into IPA (4.2.0) and filling in their phone > >>> number and info no problem. However when that user clicks on accounts > >>> above they are then able to peruse the entire directory and all the > other > >>> user accounts. > >>> I'm trying to remove that but for the life of me can't recall the ACI > or > >>> where that may be. > >>> > >>> I really appreciate it, I'll continue to search through the previous > >>> questions and if I find it before a reply will mark this closed with > the > >>> link. > >>> Thank you all - > >>> Wells > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Matt Wells Chief Systems Architect RHCA, RHCVA - #110-000-353 (702) 808-0424 matt.we...@mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Users directory Browsing -
On 8.3.2016 15:29, Matt Wells wrote: > For my use case it is. Essentially the system will be application auth for > separate groups that have no need to know of one another, almost a > multi-tenant mode. I wanted to expose a 'self service' url. I've found a > community ipa portal for password resets and perhaps that with slight > changes can resolve this. I understand why it's that way but had hoped to > be able to apply a bit more of an ACI; I've been able to ratchet the > accounts down to just this one item thus far by restricting access to > attributes. I appreciate the response and if / when I find a solution I'll > post it for anyone else that would require it. Be sure you fully think though your use cases and understand the implications. E.g. if the LDAP is used by unix clients, locking it down to one user or group may prevent clients from translating UIDs to names and vice-versa, prevent resolving group membership etc. That would certainly break things. In this case you might want to craft ACI which exposes POSIX attributes only and nothing else or so. Again, think about it :-) Petr^2 Spacek > On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapatwrote: > >> A user will be able to list all other users and be able to read their >> attributes. But will not be able to change anything. >> >> Is that an issue ? I mean on a Linux box you can read /etc/passwd file >> which has info about all users on that box. This doesn't cause issues. >> >> On 8 March 2016 at 03:03, Matt Wells wrote: >> >>> Hi all, I had a quick question. I swear I had this before but that could >>> be the voices telling me it's true >>> A normal user is logging into IPA (4.2.0) and filling in their phone >>> number and info no problem. However when that user clicks on accounts >>> above they are then able to peruse the entire directory and all the other >>> user accounts. >>> I'm trying to remove that but for the life of me can't recall the ACI or >>> where that may be. >>> >>> I really appreciate it, I'll continue to search through the previous >>> questions and if I find it before a reply will mark this closed with the >>> link. >>> Thank you all - >>> Wells -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Users directory Browsing -
For my use case it is. Essentially the system will be application auth for separate groups that have no need to know of one another, almost a multi-tenant mode. I wanted to expose a 'self service' url. I've found a community ipa portal for password resets and perhaps that with slight changes can resolve this. I understand why it's that way but had hoped to be able to apply a bit more of an ACI; I've been able to ratchet the accounts down to just this one item thus far by restricting access to attributes. I appreciate the response and if / when I find a solution I'll post it for anyone else that would require it. On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapatwrote: > A user will be able to list all other users and be able to read their > attributes. But will not be able to change anything. > > Is that an issue ? I mean on a Linux box you can read /etc/passwd file > which has info about all users on that box. This doesn't cause issues. > > On 8 March 2016 at 03:03, Matt Wells wrote: > >> Hi all, I had a quick question. I swear I had this before but that could >> be the voices telling me it's true >> A normal user is logging into IPA (4.2.0) and filling in their phone >> number and info no problem. However when that user clicks on accounts >> above they are then able to peruse the entire directory and all the other >> user accounts. >> I'm trying to remove that but for the life of me can't recall the ACI or >> where that may be. >> >> I really appreciate it, I'll continue to search through the previous >> questions and if I find it before a reply will mark this closed with the >> link. >> Thank you all - >> Wells >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Matt Wells Chief Systems Architect RHCA, RHCVA - #110-000-353 (702) 808-0424 matt.we...@mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Users directory Browsing -
A user will be able to list all other users and be able to read their attributes. But will not be able to change anything. Is that an issue ? I mean on a Linux box you can read /etc/passwd file which has info about all users on that box. This doesn't cause issues. On 8 March 2016 at 03:03, Matt Wellswrote: > Hi all, I had a quick question. I swear I had this before but that could > be the voices telling me it's true > A normal user is logging into IPA (4.2.0) and filling in their phone > number and info no problem. However when that user clicks on accounts > above they are then able to peruse the entire directory and all the other > user accounts. > I'm trying to remove that but for the life of me can't recall the ACI or > where that may be. > > I really appreciate it, I'll continue to search through the previous > questions and if I find it before a reply will mark this closed with the > link. > Thank you all - > Wells > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Users directory Browsing -
Hi all, I had a quick question. I swear I had this before but that could be the voices telling me it's true A normal user is logging into IPA (4.2.0) and filling in their phone number and info no problem. However when that user clicks on accounts above they are then able to peruse the entire directory and all the other user accounts. I'm trying to remove that but for the life of me can't recall the ACI or where that may be. I really appreciate it, I'll continue to search through the previous questions and if I find it before a reply will mark this closed with the link. Thank you all - Wells -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project