Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
On 10/29/2015 12:06 AM, craig.li...@mypenguin.net.au wrote: Thanks it worked! For those also intersted in the settings; Permission: ldap_anonymous Bind Type Rule: anonymous Granted Rights: (I used) "read","search","compare" Subtree: cn=users,cn=accounts,dc=example,dc=com Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*))) Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Effective Attributes: gecos, mail, mobile, telephoneNumber, uidNumber cheers, Craig This works. However, the "right way" here would be changing Bind Type Rule of default permission "System: Read User Addressbook Attributes" from "all" (default to new installation of FreeIPA 4.0) to "anonymous". This is the permission that holds extended attributes like this one: # ipa permission-show 'System: Read User Addressbook Attributes' Permission name: System: Read User Addressbook Attributes Granted rights: read, compare, search Effective attributes: audio, businesscategory, carlicense, departmentnumber, destinationindicator, employeenumber, employeetype, facsimiletelephonenumber, homephone, homepostaladdress, inetuserhttpurl, inetuserstatus, internationalisdnnumber, jpegphoto, l, labeleduri, mail, mobile, o, ou, pager, photo, physicaldeliveryofficename, postaladdress, postalcode, postofficebox, preferreddeliverymethod, preferredlanguage, registeredaddress, roomnumber, secretary, seealso, st, street, telephonenumber, teletexterminalidentifier, telexnumber, usercertificate, usersmimecertificate, x121address, x500uniqueidentifier Default attributes: postofficebox, registeredaddress, jpegphoto, physicaldeliveryofficename, homepostaladdress, labeleduri, photo, postalcode, street, x121address, st, telephonenumber, facsimiletelephonenumber, teletexterminalidentifier, usercertificate, mail, internationalisdnnumber, seealso, x500uniqueidentifier, employeetype, businesscategory, preferredlanguage, preferreddeliverymethod, roomnumber, carlicense, telexnumber, postaladdress, pager, destinationindicator, departmentnumber, mobile, inetuserhttpurl, l, o, inetuserstatus, employeenumber, usersmimecertificate, ou, audio, homephone, secretary Bind rule type: all Subtree: cn=users,cn=accounts,dc=rhel72 Type: user This approach will help you avoid extra read permission and keep your permission updated by FreeIPA updated, if needed (when new addressbook attribute is added for example). On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote: Refer this doc [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com> wrote: Making attributes anonymously readable is very simple. You need to look into RBAC and define the permissions/privileges you need. On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote: Hi, We have recently updated from IPA 3 to IPA 4.1 and one of the changes in security is what attributes are available for the anonymous LDAP queries. Does anyone know how to edit the anonymous LDAP settings so that the following are available? mail: [4]cr...@example.com postalCode: 3000 street: 1 Home Parade mobile: -000-000 telephoneNumber: 03-- Note: We have many different types of LDAP clients here and even though using encrypted BIND's did work from ldapsearch queries, I couldn't get them to consistently work from our email clients. Regards, Craig -- Manage your subscription for the Freeipa-users mailing list: [5]https://www.redhat.com/mailman/listinfo/freeipa-users Go to [6]http://freeipa.org for more info on the project References Visible links 1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls 2. mailto:prash...@apigee.com 3. mailto:craig.li...@mypenguin.net.au 4. mailto:cr...@example.com 5. https://www.redhat.com/mailman/listinfo/freeipa-users 6. http://freeipa.org/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
Thanks it worked! For those also intersted in the settings; Permission: ldap_anonymous Bind Type Rule: anonymous Granted Rights: (I used) "read","search","compare" Subtree: cn=users,cn=accounts,dc=example,dc=com Extra target filter: (&(objectclass=Person)(|(uid=*)(givenName=*))) Target DN: uid=*,cn=users,cn=accounts,dc=example,dc=com Effective Attributes: gecos, mail, mobile, telephoneNumber, uidNumber cheers, Craig On Wed, Oct 28, 2015 at 11:18:29AM +0530, Prashant Bapat wrote: >Refer this doc > > [1]https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls >On 28 October 2015 at 11:11, Prashant Bapat <[2]prash...@apigee.com> >wrote: > > Making attributes anonymously readable is very simple. You need to look > into RBAC and define the permissions/privileges you need. > On 28 October 2015 at 08:02, <[3]craig.li...@mypenguin.net.au> wrote: > >Hi, > >We have recently updated from IPA 3 to IPA 4.1 and one of the changes >in >security is what attributes are available for the anonymous LDAP >queries. > >Does anyone know how to edit the anonymous LDAP settings so >that the following are available? > >mail: [4]cr...@example.com >postalCode: 3000 >street: 1 Home Parade >mobile: -000-000 >telephoneNumber: 03-- > >Note: We have many different types of LDAP clients here and even >though >using encrypted BIND's did work from ldapsearch queries, I couldn't >get >them to consistently work from our email clients. > >Regards, > >Craig >-- >Manage your subscription for the Freeipa-users mailing list: >[5]https://www.redhat.com/mailman/listinfo/freeipa-users >Go to [6]http://freeipa.org for more info on the project > > References > >Visible links >1. > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls >2. mailto:prash...@apigee.com >3. mailto:craig.li...@mypenguin.net.au >4. mailto:cr...@example.com >5. https://www.redhat.com/mailman/listinfo/freeipa-users >6. http://freeipa.org/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
Hi, We have recently updated from IPA 3 to IPA 4.1 and one of the changes in security is what attributes are available for the anonymous LDAP queries. Does anyone know how to edit the anonymous LDAP settings so that the following are available? mail: cr...@example.com postalCode: 3000 street: 1 Home Parade mobile: -000-000 telephoneNumber: 03-- Note: We have many different types of LDAP clients here and even though using encrypted BIND's did work from ldapsearch queries, I couldn't get them to consistently work from our email clients. Regards, Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
Making attributes anonymously readable is very simple. You need to look into RBAC and define the permissions/privileges you need. On 28 October 2015 at 08:02,wrote: > Hi, > > We have recently updated from IPA 3 to IPA 4.1 and one of the changes in > security is what attributes are available for the anonymous LDAP > queries. > > Does anyone know how to edit the anonymous LDAP settings so > that the following are available? > > mail: cr...@example.com > postalCode: 3000 > street: 1 Home Parade > mobile: -000-000 > telephoneNumber: 03-- > > Note: We have many different types of LDAP clients here and even though > using encrypted BIND's did work from ldapsearch queries, I couldn't get > them to consistently work from our email clients. > > Regards, > > Craig > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] anonymous LDAP attributes with IPA ipa-server-4.1
Refer this doc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#server-access-controls On 28 October 2015 at 11:11, Prashant Bapatwrote: > Making attributes anonymously readable is very simple. You need to look > into RBAC and define the permissions/privileges you need. > > On 28 October 2015 at 08:02, wrote: > >> Hi, >> >> We have recently updated from IPA 3 to IPA 4.1 and one of the changes in >> security is what attributes are available for the anonymous LDAP >> queries. >> >> Does anyone know how to edit the anonymous LDAP settings so >> that the following are available? >> >> mail: cr...@example.com >> postalCode: 3000 >> street: 1 Home Parade >> mobile: -000-000 >> telephoneNumber: 03-- >> >> Note: We have many different types of LDAP clients here and even though >> using encrypted BIND's did work from ldapsearch queries, I couldn't get >> them to consistently work from our email clients. >> >> Regards, >> >> Craig >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project