[Freeipa-users] User Roles and access in GUI
Rob Crittenden
rcritten at redhat.com
Mon Apr 15 13:39:26 UTC 2013
Dmitri Pal wrote:
> On 04/12/2013 08:17 PM, Chandan Kumar wrote:
>>
>> Thanks for the response.
>>
>> The way we can turn off the anonymous bind in 389 Server. using
>> "nsslapd-allow-anonymous-access: off".
>>
>> Is there any way to limit the read access of user to only to the DNS
>> entries? In that way I can create a user who could/will be able to
>> see/edit DNS entries only.
>
> In general yes though it is not standard because as I mentioned earlier
> the tree is assumed to be readable to an authenticated user.
> When user logs in the framework the UI or CLI will log into LDAP as a
> user and try to do operations. It will need to read user entry and
> groups and other things so closing read access to everything other than
> DNS would not work. You can close access to some of the objects but not
> to all of them.
> It still unclear what is the harm in ability to read other parts of the
> tree but not modify them.
>
> To change the permissions you would have to user LDAP level ACI commands
> as we do not expose these capabilities via CLI or UI but be careful as I
> mentioned above you might end up hiding something that would prevent
> framework from functioning properly.
There is no easy way to do this. We start with granting all
authenticated users read access to the tree with the exception of
certain attributes (like passwords).
You'd have to start by removing that, then one by one granting read
access to the various containers based on, well, something.
It would be very prone to error, with probably lots of corner cases and
overlap.
Do you really want to deny read access or do you want to simplify the
the UI to include only certain tabs/functions?
rob
More information about the Freeipa-users
mailing list