On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:
When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP tokens, etc. How would I go about doing this? The users will only be able to access the web interface, so it doesn't matter whether they can access it from other sources.
There is no way to restrict that. We keep getting this question all the time and we consider it is to be a security through obscurity, not a real one.
Every enrolled IPA client has to be able to query IPA LDAP for information about users, groups, hosts, sudo rules, etc. This already gives users a way to retrieve an information you are trying to hide in a Web UI.
If user is able to login to web UI, she would be able to use IPA CLI on the enrolled IPA clients too. Even without IPA CLI on the enrolled clients, she would be able to issue JSON-RPC commands -- either with command line from any machine or right from the browser's console.
You can read archives (make sure go through the whole threads): https://www.redhat.com/archives/freeipa-users/2016-March/msg00053.html https://www.redhat.com/archives/freeipa-users/2016-April/msg00118.html