On ti, 11 joulu 2018, cdknight via FreeIPA-users wrote:
When a user signs in to FreeIPA, I do not want them to be able to
view
the list of users in my LDAP server under the "Active users" link. I
still want them to be able to administer self-service, so they can
reset their password, add OTP tokens, etc. How would I go about doing
this? The users will only be able to access the web interface, so it
doesn't matter whether they can access it from other sources.
There is no way to
restrict that. We keep getting this question all the
time and we consider it is to be a security through obscurity, not a
real one.
Every enrolled IPA client has to be able to query IPA LDAP for
information about users, groups, hosts, sudo rules, etc. This already
gives users a way to retrieve an information you are trying to hide
in a Web UI.
If user is able to login to web UI, she would be able to use IPA CLI on
the enrolled IPA clients too. Even without IPA CLI on the enrolled
clients, she would be able to issue JSON-RPC commands -- either with
command line from any machine or right from the browser's console.
You can read archives (make sure go through the whole threads):
https://www.redhat.com/archives/freeipa-users/2016-March/msg00053.html
https://www.redhat.com/archives/freeipa-users/2016-April/msg00118.html
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland