hi,
On Wed, Sep 13, 2023 at 2:40 AM Super Tony via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > I have an app that determines user access level by querying the IDM server > for user group membership. I have been using anonymous bind, but that means > I had to relax the ACI to allow that kind of query. > > By default if I query the IDM server for user's group membership using > anonymous bind, I only get top level containers without the group > membership details. > > What is the recommended way to approach this issue if I am trying to move > away from anonymous bind but I also don't want to hard code user ID and > password for making an authenticated query? > > the recommended way, I guess, is authenticated binding. The possibility of information leakage is too big if you allow anonymous binding. You do not need to hard code the credentials in your script or application you can provide them using different means (read them from cli arguments, from environment variables, from a password vault, interactively, from a keytab, ..., each of those has pros and cons, but hard coding them makes the script less portable between environments. > Thanks in advance! > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- -- Groeten, natxo
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
