On 10/29/2015 12:06 AM, craig.li...@mypenguin.net.au wrote:
Thanks it worked!
For those also intersted in the settings;
Permission: ldap_anonymous
Bind Type Rule: anonymous
Granted Rights: (I used) "read","search","compare"
Subtree: cn=users,cn=accounts,dc=example,dc=com
Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
Effective Attributes:
gecos, mail, mobile, telephoneNumber, uidNumber
cheers,
Craig
This works. However, the "right way" here would be changing Bind Type Rule of
default permission "System: Read User Addressbook Attributes" from "all"
(default to new installation of FreeIPA 4.0) to "anonymous". This is the
permission that holds extended attributes like this one:
# ipa permission-show 'System: Read User Addressbook Attributes'
Permission name: System: Read User Addressbook Attributes
Granted rights: read, compare, search
Effective attributes: audio, businesscategory, carlicense, departmentnumber,
destinationindicator, employeenumber, employeetype,
facsimiletelephonenumber, homephone,
homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber,
jpegphoto,
l, labeleduri, mail, mobile, o, ou, pager, photo,
physicaldeliveryofficename, postaladdress, postalcode, postofficebox,
preferreddeliverymethod, preferredlanguage,
registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber,
teletexterminalidentifier, telexnumber,
usercertificate, usersmimecertificate, x121address, x500uniqueidentifier
Default attributes: postofficebox, registeredaddress, jpegphoto,
physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode,
street, x121address, st, telephonenumber,
facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail,
internationalisdnnumber, seealso, x500uniqueidentifier,
employeetype, businesscategory, preferredlanguage,
preferreddeliverymethod, roomnumber, carlicense,
telexnumber, postaladdress, pager, destinationindicator, departmentnumber,
mobile, inetuserhttpurl, l, o, inetuserstatus,
employeenumber, usersmimecertificate, ou, audio, homephone, secretary
Bind rule type: all
Subtree: cn=users,cn=accounts,dc=rhel72
Type: user
This approach will help you avoid extra read permission and keep your
permission updated by FreeIPA updated, if needed (when new addressbook
attribute is added for example).
On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
Refer this doc
[1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com>
wrote:
Making attributes anonymously readable is very simple. You need to look
into RBAC and define the permissions/privileges you need.
On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote:
Hi,
We have recently updated from IPA 3 to IPA 4.1 and one of the changes
in
security is what attributes are available for the anonymous LDAP
queries.
Does anyone know how to edit the anonymous LDAP settings so
that the following are available?
mail: [4]cr...@example.com
postalCode: 3000
street: 1 Home Parade
mobile: 0000-000-000
telephoneNumber: 03-0000-0000
Note: We have many different types of LDAP clients here and even
though
using encrypted BIND's did work from ldapsearch queries, I couldn't
get
them to consistently work from our email clients.
Regards,
Craig
--
Manage your subscription for the Freeipa-users mailing list:
[5]https://www.redhat.com/mailman/listinfo/freeipa-users
Go to [6]http://freeipa.org for more info on the project
References
Visible links
1.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
2. mailto:prash...@apigee.com
3. mailto:craig.li...@mypenguin.net.au
4. mailto:cr...@example.com
5. https://www.redhat.com/mailman/listinfo/freeipa-users
6. http://freeipa.org/
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project