On 12/11/18 1:36 AM, cdknight via FreeIPA-users wrote:

When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

this topic has already been discussed in issue 2995: [RFE] Add option to limit the scope of the DS objects user can see in self service [1] and in this thread [2]. This may help understand why self-service WebUI allows to see other users.

You may be able to define ACIs preventing a user from seeing other users' information but this would have to be thoroughly tested as it could break a lot of assumptions done by IPA.

HTH, flo

[1] https://pagure.io/freeipa/issue/2995 [2] https://www.redhat.com/archives/freeipa-users/2016-April/msg00107.html

Thanks for the responses. Therefore, I will instead have to restrict access to the Web UI either by creating an HBAC rule (this is my understanding of what to do), and instead allowing them access a secondary self-service UI like https://github.com/ubccr/mokey. While this secondary software may not be the most stable, it will have to do (as long as basic functions work) until FreeIPA implements their own solution.