On 11/05/2012 05:57 PM, Marcello Giannoni UCLA wrote: > Hi, > > I defined some users that are not members of the ipausers group, for > some reason this users are able to login to the server using the ipa client > tools and the web interface https://myipaserver/ipa/ui > I don't want any users look at other users information, is there a way > to deny access to the ipa client tools and Web UI to his non ipausers? > > Thank you > Marcello > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
What do you mean access? You mean read or modify? In general the LDAP is usually open for read for anyone. In the past it was open even to anonymous i.e unauthenticated user. In recent years the requirement to expose LDAP to only authenticated users have become popular (and that is what IPA supports) but not to the extent of limiting what one can read once authenticated. By default all the readable attributes are readable to everybody. So before moving forward please make sure that you realize that most of the software that uses LDAP as a central repository expects at least read only access after authenticated bind. Now the solution. You need to explore the privileges and permissions and define those to prevent access to the specific attributes. The things that you are trying to do might be so advanced that it might require you to get under the hood and work directly with DS ACIs rather than with the IPA commands. Are you trying to close read access to specific private attributes in the user entry? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users