Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-29 Thread Martin Kosek 

On 10/29/2015 12:06 AM, craig.li...@mypenguin.net.au wrote:

Thanks it worked!
For those also intersted in the settings;

Permission: ldap_anonymous
Bind Type Rule: anonymous
Granted Rights: (I used) "read","search","compare"
Subtree: cn=users,cn=accounts,dc=example,dc=com
Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
Effective Attributes:
gecos, mail, mobile, telephoneNumber, uidNumber

cheers,

Craig


This works. However, the "right way" here would be changing Bind Type Rule of 
default permission "System: Read User Addressbook Attributes" from "all" 
(default to new installation of FreeIPA 4.0) to "anonymous". This is the 
permission that holds extended attributes like this one:


# ipa permission-show 'System: Read User Addressbook Attributes'
  Permission name: System: Read User Addressbook Attributes
  Granted rights: read, compare, search
  Effective attributes: audio, businesscategory, carlicense, departmentnumber, 
destinationindicator, employeenumber, employeetype,
facsimiletelephonenumber, homephone, 
homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber, 
jpegphoto,
l, labeleduri, mail, mobile, o, ou, pager, photo, 
physicaldeliveryofficename, postaladdress, postalcode, postofficebox,
preferreddeliverymethod, preferredlanguage, 
registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber,
teletexterminalidentifier, telexnumber, 
usercertificate, usersmimecertificate, x121address, x500uniqueidentifier
  Default attributes: postofficebox, registeredaddress, jpegphoto, 
physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode,
  street, x121address, st, telephonenumber, 
facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail,
  internationalisdnnumber, seealso, x500uniqueidentifier, 
employeetype, businesscategory, preferredlanguage,
  preferreddeliverymethod, roomnumber, carlicense, 
telexnumber, postaladdress, pager, destinationindicator, departmentnumber,
  mobile, inetuserhttpurl, l, o, inetuserstatus, 
employeenumber, usersmimecertificate, ou, audio, homephone, secretary

  Bind rule type: all
  Subtree: cn=users,cn=accounts,dc=rhel72
  Type: user


This approach will help you avoid extra read permission and keep your 
permission updated by FreeIPA updated, if needed (when new addressbook 
attribute is added for example).








On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:

​Refer this doc

[1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls​
On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com>
wrote:

  Making attributes anonymously readable is very simple. You need to look
  into RBAC and define the permissions/privileges you need.
  On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote:

Hi,

We have recently updated from IPA 3 to IPA 4.1 and one of the changes
in
security is what attributes are available for the anonymous LDAP
queries.

Does anyone know how to edit the anonymous LDAP settings so
that the following are available?

mail: [4]cr...@example.com
postalCode: 3000
street: 1 Home Parade
mobile: -000-000
telephoneNumber: 03--

Note: We have many different types of LDAP clients here and even
though
using encrypted BIND's did work from ldapsearch queries, I couldn't
get
them to consistently work from our email clients.

Regards,

Craig
--
Manage your subscription for the Freeipa-users mailing list:
[5]https://www.redhat.com/mailman/listinfo/freeipa-users
Go to [6]http://freeipa.org for more info on the project

References

Visible links
1. 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
2. mailto:prash...@apigee.com
3. mailto:craig.li...@mypenguin.net.au
4. mailto:cr...@example.com
5. https://www.redhat.com/mailman/listinfo/freeipa-users
6. http://freeipa.org/




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-28 Thread craig . linux 
Thanks it worked!
For those also intersted in the settings; 

Permission: ldap_anonymous
Bind Type Rule: anonymous
Granted Rights: (I used) "read","search","compare"
Subtree: cn=users,cn=accounts,dc=example,dc=com
Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*)))
Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com
Effective Attributes: 
gecos, mail, mobile, telephoneNumber, uidNumber

cheers,

Craig




On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote:
>​Refer this doc
>
> [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls​
>On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com>
>wrote:
> 
>  Making attributes anonymously readable is very simple. You need to look
>  into RBAC and define the permissions/privileges you need. 
>  On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote:
> 
>Hi,
> 
>We have recently updated from IPA 3 to IPA 4.1 and one of the changes
>in
>security is what attributes are available for the anonymous LDAP
>queries.
> 
>Does anyone know how to edit the anonymous LDAP settings so
>that the following are available?
> 
>mail: [4]cr...@example.com
>postalCode: 3000
>street: 1 Home Parade
>mobile: -000-000
>telephoneNumber: 03--
> 
>Note: We have many different types of LDAP clients here and even
>though
>using encrypted BIND's did work from ldapsearch queries, I couldn't
>get
>them to consistently work from our email clients.
> 
>Regards,
> 
>Craig
>--
>Manage your subscription for the Freeipa-users mailing list:
>[5]https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to [6]http://freeipa.org for more info on the project
> 
> References
> 
>Visible links
>1. 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
>2. mailto:prash...@apigee.com
>3. mailto:craig.li...@mypenguin.net.au
>4. mailto:cr...@example.com
>5. https://www.redhat.com/mailman/listinfo/freeipa-users
>6. http://freeipa.org/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-27 Thread craig . linux 
Hi, 

We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
security is what attributes are available for the anonymous LDAP
queries. 

Does anyone know how to edit the anonymous LDAP settings so
that the following are available?

mail: cr...@example.com
postalCode: 3000
street: 1 Home Parade
mobile: -000-000
telephoneNumber: 03--

Note: We have many different types of LDAP clients here and even though
using encrypted BIND's did work from ldapsearch queries, I couldn't get
them to consistently work from our email clients. 

Regards,

Craig

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-27 Thread Prashant Bapat 
Making attributes anonymously readable is very simple. You need to look
into RBAC and define the permissions/privileges you need.

On 28 October 2015 at 08:02,  wrote:

> Hi,
>
> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
> security is what attributes are available for the anonymous LDAP
> queries.
>
> Does anyone know how to edit the anonymous LDAP settings so
> that the following are available?
>
> mail: cr...@example.com
> postalCode: 3000
> street: 1 Home Parade
> mobile: -000-000
> telephoneNumber: 03--
>
> Note: We have many different types of LDAP clients here and even though
> using encrypted BIND's did work from ldapsearch queries, I couldn't get
> them to consistently work from our email clients.
>
> Regards,
>
> Craig
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1

2015-10-27 Thread Prashant Bapat 
​Refer this doc
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls
​

On 28 October 2015 at 11:11, Prashant Bapat  wrote:

> Making attributes anonymously readable is very simple. You need to look
> into RBAC and define the permissions/privileges you need.
>
> On 28 October 2015 at 08:02,  wrote:
>
>> Hi,
>>
>> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in
>> security is what attributes are available for the anonymous LDAP
>> queries.
>>
>> Does anyone know how to edit the anonymous LDAP settings so
>> that the following are available?
>>
>> mail: cr...@example.com
>> postalCode: 3000
>> street: 1 Home Parade
>> mobile: -000-000
>> telephoneNumber: 03--
>>
>> Note: We have many different types of LDAP clients here and even though
>> using encrypted BIND's did work from ldapsearch queries, I couldn't get
>> them to consistently work from our email clients.
>>
>> Regards,
>>
>> Craig
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project