When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
On 12/11/18 1:36 AM, cdknight via FreeIPA-users wrote:
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
this topic has already been discussed in issue 2995: [RFE] Add option to limit the scope of the DS objects user can see in self service [1] and in this thread [2]. This may help understand why self-service WebUI allows to see other users.
You may be able to define ACIs preventing a user from seeing other users' information but this would have to be thoroughly tested as it could break a lot of assumptions done by IPA.
HTH, flo
[1] https://pagure.io/freeipa/issue/2995 [2] https://www.redhat.com/archives/freeipa-users/2016-April/msg00107.html
On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
There is no way to restrict that. We keep getting this question all the time and we consider it is to be a security through obscurity, not a real one.
Every enrolled IPA client has to be able to query IPA LDAP for information about users, groups, hosts, sudo rules, etc. This already gives users a way to retrieve an information you are trying to hide in a Web UI.
If user is able to login to web UI, she would be able to use IPA CLI on the enrolled IPA clients too. Even without IPA CLI on the enrolled clients, she would be able to issue JSON-RPC commands -- either with command line from any machine or right from the browser's console.
You can read archives (make sure go through the whole threads): https://www.redhat.com/archives/freeipa-users/2016-March/msg00053.html https://www.redhat.com/archives/freeipa-users/2016-April/msg00118.html
Thanks for the responses. Therefore, I will instead have to restrict access to the Web UI either by creating an HBAC rule (this is my understanding of what to do), and instead allowing them access a secondary self-service UI like https://github.com/ubccr/mokey. While this secondary software may not be the most stable, it will have to do (as long as basic functions work) until FreeIPA implements their own solution.
On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:
Thanks for the responses. Therefore, I will instead have to restrict access to the Web UI either by creating an HBAC rule (this is my understanding of what to do), and instead allowing them access a secondary self-service UI like https://github.com/ubccr/mokey. While this secondary software may not be the most stable, it will have to do (as long as basic functions work) until FreeIPA implements their own solution.
There is currently no plan to allow self-service view to be completely isolated. As explained, it is not practical and not possible in a typical FreeIPA deployment as the same information is accessible by other, user-authenticated, means.
Adding an HBAC rule will not help since access to Web UI is not controlled with HBAC.
freeipa-users@lists.fedorahosted.org