On 12/11/18 1:36 AM, cdknight via FreeIPA-users wrote:
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
this topic has already been discussed in issue 2995: [RFE] Add option to limit the scope of the DS objects user can see in self service [1] and in this thread [2]. This may help understand why self-service WebUI allows to see other users.
You may be able to define ACIs preventing a user from seeing other users' information but this would have to be thoroughly tested as it could break a lot of assumptions done by IPA.
HTH, flo
[1] https://pagure.io/freeipa/issue/2995 [2] https://www.redhat.com/archives/freeipa-users/2016-April/msg00107.html