[Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
Martin Kosek
mkosek at redhat.com
Thu Oct 29 20:10:02 UTC 2015
On 10/29/2015 12:06 AM, craig.linux at mypenguin.net.au wrote:
> Thanks it worked!
> For those also intersted in the settings;
>
> Permission: ldap_anonymous
> Bind Type Rule: anonymous
> Granted Rights: (I used) "read","search","compare"
> Subtree: cn=users,cn=accounts,dc=example,dc=com
> Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
> Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
> Effective Attributes:
> gecos, mail, mobile, telephoneNumber, uidNumber
>
> cheers,
>
> Craig
This works. However, the "right way" here would be changing Bind Type Rule of
default permission "System: Read User Addressbook Attributes" from "all"
(default to new installation of FreeIPA 4.0) to "anonymous". This is the
permission that holds extended attributes like this one:
# ipa permission-show 'System: Read User Addressbook Attributes'
Permission name: System: Read User Addressbook Attributes
Granted rights: read, compare, search
Effective attributes: audio, businesscategory, carlicense, departmentnumber,
destinationindicator, employeenumber, employeetype,
facsimiletelephonenumber, homephone,
homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber,
jpegphoto,
l, labeleduri, mail, mobile, o, ou, pager, photo,
physicaldeliveryofficename, postaladdress, postalcode, postofficebox,
preferreddeliverymethod, preferredlanguage,
registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber,
teletexterminalidentifier, telexnumber,
usercertificate, usersmimecertificate, x121address, x500uniqueidentifier
Default attributes: postofficebox, registeredaddress, jpegphoto,
physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode,
street, x121address, st, telephonenumber,
facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail,
internationalisdnnumber, seealso, x500uniqueidentifier,
employeetype, businesscategory, preferredlanguage,
preferreddeliverymethod, roomnumber, carlicense,
telexnumber, postaladdress, pager, destinationindicator, departmentnumber,
mobile, inetuserhttpurl, l, o, inetuserstatus,
employeenumber, usersmimecertificate, ou, audio, homephone, secretary
Bind rule type: all
Subtree: cn=users,cn=accounts,dc=rhel72
Type: user
This approach will help you avoid extra read permission and keep your
permission updated by FreeIPA updated, if needed (when new addressbook
attribute is added for example).
>
>
>
>
> On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
>> Refer this doc
>> [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
>> On 28 October 2015 at 11:11, Prashant Bapat <[2]prashant at apigee.com>
>> wrote:
>>
>> Making attributes anonymously readable is very simple. You need to look
>> into RBAC and define the permissions/privileges you need.
>> On 28 October 2015 at 08:02, <[3]craig.linux at mypenguin.net.au> wrote:
>>
>> Hi,
>>
>> We have recently updated from IPA 3 to IPA 4.1 and one of the changes
>> in
>> security is what attributes are available for the anonymous LDAP
>> queries.
>>
>> Does anyone know how to edit the anonymous LDAP settings so
>> that the following are available?
>>
>> mail: [4]craig at example.com
>> postalCode: 3000
>> street: 1 Home Parade
>> mobile: 0000-000-000
>> telephoneNumber: 03-0000-0000
>>
>> Note: We have many different types of LDAP clients here and even
>> though
>> using encrypted BIND's did work from ldapsearch queries, I couldn't
>> get
>> them to consistently work from our email clients.
>>
>> Regards,
>>
>> Craig
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> [5]https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to [6]http://freeipa.org for more info on the project
>>
>> References
>>
>> Visible links
>> 1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
>> 2. mailto:prashant at apigee.com
>> 3. mailto:craig.linux at mypenguin.net.au
>> 4. mailto:craig at example.com
>> 5. https://www.redhat.com/mailman/listinfo/freeipa-users
>> 6. http://freeipa.org/
>
More information about the Freeipa-users
mailing list