[Freeipa-users] Limiting group/user visibility
Lassi Pölönen
lassi.polonen at iki.fi
Fri Dec 9 12:51:46 UTC 2011
On 2011-12-08 17:36, Rob Crittenden wrote:
> Lassi Pölönen wrote:
>> On 7.12.2011 21:28, Dmitri Pal wrote:
>>>> So I came in to conclusion I just create a role for each customer, e.g
>>>> "Customer1" and assign that role to all customer's user groups and
>>>> hosts
>>>> (too bad it isn't possible to assign a role to a hostgroup) . This
>>>> requires an aci to be created for each customer though:
>>>>
Actually it seems to be possible to assign roles to host groups as well.
Just not from Identity -> Host groups. IPA Server -> RBAC -> Roles has
the option though.
> Unless you need per-object acis you can probably simplify the filter
> to cover the entire DIT by dropping the target and using just the
> targetfilter.
>
> I'd recommend verifying that data doesn't leak via schema compat if
> you have that enabled.
>
> rob
Looks like dropping the target prevents a user from logging in, so
apparently there's some entries that need to be accessible other than
those labeled with memberOf <role>. One additional thing came in to my
mind: user private groups probably need to be accessible as well. At
least by default there doesn't seem to be a way to assign the same role
for those as well.
More information about the Freeipa-users
mailing list