On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote:
Hi everyone,
I am wandering if there is a way to restrict a user that is purely for
binding an external application to only be able to search within a
group but enforced at the ipa server level.
For example, we use Odoo ERP it has an LDAP module which we want to be
able to restrict the users that login to the group lets call it
"odoo-users" for example.
Now if I bind to a normal user or heavens forbid the admin user it
could potentially source users that I don't want to have access. Odoo
does allow query filters like most LDAP implementations but it would
be too easy for someone to change the query filter for my liking.
I looked at permissions and feel this may be the way to go but from
what i can see the documentation is abandoned in favor of the RHEL
handbook. (We use Fedora 36 on VPS's).
Does anyone have any pointers on how I can securely implement this on
the server side to ensure that anyone else can't override the users
available on the external application?
Are you just wanting to limit access to that external application to
users from a specific group? Typically, these kinds of applications have
two different LDAP queries:
- first, LDAP bind to verify that the user is able to authenticate
- second, LDAP query to find a user is a part of a specific group
Judging by whatever my search engine returned first[1], you can set LDAP
filter to
(&(objectclass=posixaccount)(uid=%s)(memberof=cn=odoo-users,cn=groups,cn=accounts,dc=example,dc=com))
and use an LDAP base of cn=users,cn=accounts,dc=example,dc=com
Replace dc=example,dc=com by your specific base (`ipa env basedn`).
The filter ensures that whatever user is provided, it has their entry's
'uid' attribute set to the value provided by Odoo as a username, it is a
user account and this user account is a member of odoo-users group.
You can use other attributes too. See `ipa user-show --all --raw username`
for all attributes available for the user `username`.
[1] https://www.cybrosys.com/blog/how-to-configure-openldap-in-odoo
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
