[Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

Martin Kosek mkosek at redhat.com
Thu Oct 29 20:10:02 UTC 2015 

On 10/29/2015 12:06 AM, craig.linux at mypenguin.net.au wrote:
> Thanks it worked!
> For those also intersted in the settings;
>
> Permission: ldap_anonymous
> Bind Type Rule: anonymous
> Granted Rights: (I used) "read","search","compare"
> Subtree: cn=users,cn=accounts,dc=example,dc=com
> Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
> Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
> Effective Attributes:
> gecos, mail, mobile, telephoneNumber, uidNumber
>
> cheers,
>
> Craig

This works. However, the "right way" here would be changing Bind Type Rule of 
default permission "System: Read User Addressbook Attributes" from "all" 
(default to new installation of FreeIPA 4.0) to "anonymous". This is the 
permission that holds extended attributes like this one:

# ipa permission-show 'System: Read User Addressbook Attributes'
   Permission name: System: Read User Addressbook Attributes
   Granted rights: read, compare, search
   Effective attributes: audio, businesscategory, carlicense, departmentnumber, 
destinationindicator, employeenumber, employeetype,
                         facsimiletelephonenumber, homephone, 
homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber, 
jpegphoto,
                         l, labeleduri, mail, mobile, o, ou, pager, photo, 
physicaldeliveryofficename, postaladdress, postalcode, postofficebox,
                         preferreddeliverymethod, preferredlanguage, 
registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber,
                         teletexterminalidentifier, telexnumber, 
usercertificate, usersmimecertificate, x121address, x500uniqueidentifier
   Default attributes: postofficebox, registeredaddress, jpegphoto, 
physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode,
                       street, x121address, st, telephonenumber, 
facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail,
                       internationalisdnnumber, seealso, x500uniqueidentifier, 
employeetype, businesscategory, preferredlanguage,
                       preferreddeliverymethod, roomnumber, carlicense, 
telexnumber, postaladdress, pager, destinationindicator, departmentnumber,
                       mobile, inetuserhttpurl, l, o, inetuserstatus, 
employeenumber, usersmimecertificate, ou, audio, homephone, secretary
   Bind rule type: all
   Subtree: cn=users,cn=accounts,dc=rhel72
   Type: user


This approach will help you avoid extra read permission and keep your 
permission updated by FreeIPA updated, if needed (when new addressbook 
attribute is added for example).


>
>
>
>
> On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
>>     ​Refer this doc
>>     [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls​
>>     On 28 October 2015 at 11:11, Prashant Bapat <[2]prashant at apigee.com>
>>     wrote:
>>
>>       Making attributes anonymously readable is very simple. You need to look
>>       into RBAC and define the permissions/privileges you need.
>>       On 28 October 2015 at 08:02, <[3]craig.linux at mypenguin.net.au> wrote:
>>
>>         Hi,
>>
>>         We have recently updated from IPA 3 to IPA 4.1 and one of the changes
>>         in
>>         security is what attributes are available for the anonymous LDAP
>>         queries.
>>
>>         Does anyone know how to edit the anonymous LDAP settings so
>>         that the following are available?
>>
>>         mail: [4]craig at example.com
>>         postalCode: 3000
>>         street: 1 Home Parade
>>         mobile: 0000-000-000
>>         telephoneNumber: 03-0000-0000
>>
>>         Note: We have many different types of LDAP clients here and even
>>         though
>>         using encrypted BIND's did work from ldapsearch queries, I couldn't
>>         get
>>         them to consistently work from our email clients.
>>
>>         Regards,
>>
>>         Craig
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         [5]https://www.redhat.com/mailman/listinfo/freeipa-users
>>         Go to [6]http://freeipa.org for more info on the project
>>
>> References
>>
>>     Visible links
>>     1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
>>     2. mailto:prashant at apigee.com
>>     3. mailto:craig.linux at mypenguin.net.au
>>     4. mailto:craig at example.com
>>     5. https://www.redhat.com/mailman/listinfo/freeipa-users
>>     6. http://freeipa.org/
>

More information about the Freeipa-users mailing list