Hi Alexander, That is my current setup issue is we have sister companies that have different staff but on the same ipa server and for GDPR they shouldn't have access to each others odoo instance and the query filter is all too easy to edit.
That's why I'm looking for a server side solution to reinforce the odoo solution 17 Aug 2022 18:04:02 Alexander Bokovoy via FreeIPA-users <[email protected]>: > On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote: >> Hi everyone, >> >> I am wandering if there is a way to restrict a user that is purely for >> binding an external application to only be able to search within a group but >> enforced at the ipa server level. >> >> For example, we use Odoo ERP it has an LDAP module which we want to be able >> to restrict the users that login to the group lets call it "odoo-users" for >> example. >> >> Now if I bind to a normal user or heavens forbid the admin user it could >> potentially source users that I don't want to have access. Odoo does allow >> query filters like most LDAP implementations but it would be too easy for >> someone to change the query filter for my liking. >> >> I looked at permissions and feel this may be the way to go but from what i >> can see the documentation is abandoned in favor of the RHEL handbook. (We >> use Fedora 36 on VPS's). >> >> Does anyone have any pointers on how I can securely implement this on the >> server side to ensure that anyone else can't override the users available on >> the external application? > > Are you just wanting to limit access to that external application to > users from a specific group? Typically, these kinds of applications have > two different LDAP queries: > > - first, LDAP bind to verify that the user is able to authenticate > - second, LDAP query to find a user is a part of a specific group > > Judging by whatever my search engine returned first[1], you can set LDAP > filter to > > > (&(objectclass=posixaccount)(uid=%s)(memberof=cn=odoo-users,cn=groups,cn=accounts,dc=example,dc=com)) > > and use an LDAP base of cn=users,cn=accounts,dc=example,dc=com > > Replace dc=example,dc=com by your specific base (`ipa env basedn`). > > The filter ensures that whatever user is provided, it has their entry's > 'uid' attribute set to the value provided by Odoo as a username, it is a > user account and this user account is a member of odoo-users group. > > You can use other attributes too. See `ipa user-show --all --raw username` > for all attributes available for the user `username`. > > [1] https://www.cybrosys.com/blog/how-to-configure-openldap-in-odoo > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
