On 09/28/2011 01:13 PM, Stephen Ingram wrote:
When logging into the FreeIPA UI as a user, most everything is removed
with the exception of the Identity tab and the Users list. Although
I'm guessing that LDAP needs to expose the users list to all users
just as anyone can view the passwd file on any one system, is there a
technical need to expose all of the users to any user logging into the
UI?
Steve
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
The UI does not remove any privs. That same user can run the command
line ipa user-find and get the same results. Additionally, the user
has the ability to query the LDAP server directly. Thus, we decided to
leave the ability to enumerate all users, but not to advertise it. We
did remove tabs for other things that the user can do, mainly because
some of them pointed at operations that the user was not allowed to see
(Roles, for example, and Sudo commands for another). We had to draw the
line somewhere, and that is where we decided. It has the added benefit
of letting IPA work as a company directory.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users