Re: [Freeipa-users] Restricting other User's Details to be visible to a user
Rajnesh Kumar Siwal wrote: Yes. We would still like to restrict the Visibility of the users. We could implement the ACL's in 389-ds. However, I was concerned whether it breaks the IPA. To disable anonymous you need to set nsslapd-allow-anonymous-access to off in cn=config (bind as Directory Manager). Note that this needs to be done on every IPA master (and you need to remember to do this if you add any more). To disallow restrict read access to a set of attributes you'd need to write a custom ACI, something that is beyond the ability of our permission commands. If you're considering just some attributes in the user object then it should be fine. Those fields will just appear as blank to users that cannot read them. Hard to say if it would break anything without seeing the ACI. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restricting other User's Details to be visible to a user
Yes. We would still like to restrict the Visibility of the users. We could implement the ACL's in 389-ds. However, I was concerned whether it breaks the IPA. -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Restricting other User's Details to be visible to a user
On 13.2.2013 11:38, Rajnesh Kumar Siwal wrote: It has been found that any user can see the details of other users through the IPA Web Interface (even ldapsearch with anonymous user). It would be great if we could hide the details of the other users from the current user (including emai, phone number, Licence Number). Additionally, anonymous access to the information should not be available. Please look to archives, Dmitri summarized current state of things nicely: https://www.redhat.com/archives/freeipa-users/2012-November/msg00052.html We can recommend some way if you still want to do that. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users