On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote:
Hi Alexander,
That is my current setup issue is we have sister companies that have
different staff but on the same ipa server and for GDPR they shouldn't
have access to each others odoo instance and the query filter is all
too easy to edit.
That's why I'm looking for a server side solution to reinforce the odoo
solution
You may read through ACI plugin documentation for RHDS. It is possible
to design ACIs that apply to a specific LDAP bind DN but you need to
design it with possible attacker's LDAP filters in mind. An issue I'd
see is that if they are able to modify LDAP filter settings, why they
couldn't change LDAP bind DN as well to something they own. Then your
ACIs would not apply anymore.
Changing default ACIs is more of an issue that would break other
systems. SSSD uses a host principal to bind so theoretically access by
hosts could be confined to LDAP bind DNs that use host principal DNs and
deny everyone else default access. But this is something you'd need to
investigate yourself on a test instance. We never really looked at that
because in POSIX environments identity information is public on the host
to every application (e.g. 'id username' would not need any specific
per-user auth once you are logged in).
17 Aug 2022 18:04:02 Alexander Bokovoy via FreeIPA-users
<[email protected]>:
On ke, 17 elo 2022, Entrepreneur AJ via FreeIPA-users wrote:
Hi everyone,
I am wandering if there is a way to restrict a user that is purely for binding
an external application to only be able to search within a group but enforced
at the ipa server level.
For example, we use Odoo ERP it has an LDAP module which we want to be able to restrict
the users that login to the group lets call it "odoo-users" for example.
Now if I bind to a normal user or heavens forbid the admin user it could
potentially source users that I don't want to have access. Odoo does allow
query filters like most LDAP implementations but it would be too easy for
someone to change the query filter for my liking.
I looked at permissions and feel this may be the way to go but from what i can
see the documentation is abandoned in favor of the RHEL handbook. (We use
Fedora 36 on VPS's).
Does anyone have any pointers on how I can securely implement this on the
server side to ensure that anyone else can't override the users available on
the external application?
Are you just wanting to limit access to that external application to
users from a specific group? Typically, these kinds of applications have
two different LDAP queries:
- first, LDAP bind to verify that the user is able to authenticate
- second, LDAP query to find a user is a part of a specific group
Judging by whatever my search engine returned first[1], you can set LDAP
filter to
(&(objectclass=posixaccount)(uid=%s)(memberof=cn=odoo-users,cn=groups,cn=accounts,dc=example,dc=com))
and use an LDAP base of cn=users,cn=accounts,dc=example,dc=com
Replace dc=example,dc=com by your specific base (`ipa env basedn`).
The filter ensures that whatever user is provided, it has their entry's
'uid' attribute set to the value provided by Odoo as a username, it is a
user account and this user account is a member of odoo-users group.
You can use other attributes too. See `ipa user-show --all --raw username`
for all attributes available for the user `username`.
[1] https://www.cybrosys.com/blog/how-to-configure-openldap-in-odoo
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
