Anonymous_User Absent Member.
Absent Member.
573 views

question about visibility

How do I limit visibility to those that can get to the imanager. the
situation is I found out from some school sis the kiddies figured out
how to get to the imanager page. Although they can't do anything because
no roles or tasks are assigned they can see everything. I don't want
them to see anything. here is the strange thing I can't figure out. each
school has a server. then I have three servers at the data center master
and two read writes of whole tree. at the school level the login they
are using they see everything in the left task pane. when I use the
credentials they use the left task pane indicates no task or roles
assigned and nothing is displayed. I am confused by this difference. or
alternatively instructions on how to disable imanager would work also. I
don't need it at the schools. any help would be appreciated.
Labels (1)
0 Likes
6 Replies
AutomaticReply Absent Member.
Absent Member.

Re: question about visibility

CCPS,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Knowledge Partner
Knowledge Partner

Re: question about visibility

On 04/12/2017 12:40 PM, CCPS wrote:
> How do I limit visibility to those that can get to the imanager. the
> situation is I found out from some school sis the kiddies figured out how
> to get to the imanager page. Although they can't do anything because no


Just to be clear, your best way of preventing users from accessing
iManager at all is a firewall preventing their IP address(es) from
reaching its listening port. Even if you do this, though, you're focusing
on the client part of the equation (iManager is a client to eDirectory)
and anybody in the world can probably go and download iManager, or
ConsoleOne, or older NCP clients, and connect directly to eDirectory with
those same rights, but without any role/task limitations. That does not
mean they magically have rights to do anything, just because they can
connect to the tree, but it does mean that merely preventing your own
instance of iManager from being accessed is an attempt at implementing
security on the client side, not the server side, and that is by
definition a broken model.

Blocking access to eDirectory is both easier and harder; easier
technically when it comes to reaching your desired goal, but possibly
harder since you may have clients on workstations or other services that
NEED to reach eDirectory from those same boxes, and blocking those will
break services you want to provide.

> roles or tasks are assigned they can see everything. I don't want them to
> see anything. here is the strange thing I can't figure out. each school


One step you can take, though you should definitely test first in a valid
test environment to be sure you do not impair desired services, is to
change default rights within the tree. By default users can see the tree
structure (the hierarchy of objects) and some attributes that are
considered public (UID, Surname, Object Class) but they should not see
most other attributes that are defined in schema. Seeing the structure is
not a great help to would-be attackers, bu you can prevent it by changing
rights within the tree; this may also break other services that are
relying on the ability to anonymously see that structure, so beware.

Another change you can make it to make it so that the attributes that are
readable by default (UID, Surname) are no-longer visible by default via a
schema change. This will likely break services that implement a
contextless login type of feature unless those services have their own
proxy user that they use to find a user's DN based on some attribute value
entered by the user (usually compared again UID or CN). Making this
change will prevent users from seeing some not-that-sensitive details of
objects within the tree, but you really need to be sure things work as
expected afterward since you are changing a lot of assumptions you've been
making about the tree for decades.

> has a server. then I have three servers at the data center master and two
> read writes of whole tree. at the school level the login they are using
> they see everything in the left task pane. when I use the credentials they
> use the left task pane indicates no task or roles assigned and nothing is
> displayed. I am confused by this difference. or alternatively instructions
> on how to disable imanager would work also. I don't need it at the
> schools. any help would be appreciated.


The left task pane shows roles and tasks either assigned to the user
('Assigned' mode) or show everything to all users ('Unrestricted' mode).
Unrestricted mode can be forced, and I believe can be defined on a
per-iManager instance basis, so this could be normal. At the end of the
day, seeing roles and tasks does not mean you can do anything with them.

You may want to consider why you have so many instances of iManager as
well; many places will have two regardless of organization size, with
maybe a Workstation version as a backup on a main admin's computer.
Having one on every eDirectory box, or even at every site, is often a bit
overkill these days where network links are much better than they were
twenty-some years ago. Keep in mind, though, that merely uninstalling
iManager does not prevent users from getting their own version as
mentioned above.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: question about visibility

Thanks for your responses. How would I disable the local school imanager
instances? You are correct I don't need that many running around.

"ab" wrote in message
news:BY1JA.414$y_.396@novprvlin0913.provo.novell.com...

On 04/12/2017 12:40 PM, CCPS wrote:
> How do I limit visibility to those that can get to the imanager. the
> situation is I found out from some school sis the kiddies figured out how
> to get to the imanager page. Although they can't do anything because no


Just to be clear, your best way of preventing users from accessing
iManager at all is a firewall preventing their IP address(es) from
reaching its listening port. Even if you do this, though, you're focusing
on the client part of the equation (iManager is a client to eDirectory)
and anybody in the world can probably go and download iManager, or
ConsoleOne, or older NCP clients, and connect directly to eDirectory with
those same rights, but without any role/task limitations. That does not
mean they magically have rights to do anything, just because they can
connect to the tree, but it does mean that merely preventing your own
instance of iManager from being accessed is an attempt at implementing
security on the client side, not the server side, and that is by
definition a broken model.

Blocking access to eDirectory is both easier and harder; easier
technically when it comes to reaching your desired goal, but possibly
harder since you may have clients on workstations or other services that
NEED to reach eDirectory from those same boxes, and blocking those will
break services you want to provide.

> roles or tasks are assigned they can see everything. I don't want them to
> see anything. here is the strange thing I can't figure out. each school


One step you can take, though you should definitely test first in a valid
test environment to be sure you do not impair desired services, is to
change default rights within the tree. By default users can see the tree
structure (the hierarchy of objects) and some attributes that are
considered public (UID, Surname, Object Class) but they should not see
most other attributes that are defined in schema. Seeing the structure is
not a great help to would-be attackers, bu you can prevent it by changing
rights within the tree; this may also break other services that are
relying on the ability to anonymously see that structure, so beware.

Another change you can make it to make it so that the attributes that are
readable by default (UID, Surname) are no-longer visible by default via a
schema change. This will likely break services that implement a
contextless login type of feature unless those services have their own
proxy user that they use to find a user's DN based on some attribute value
entered by the user (usually compared again UID or CN). Making this
change will prevent users from seeing some not-that-sensitive details of
objects within the tree, but you really need to be sure things work as
expected afterward since you are changing a lot of assumptions you've been
making about the tree for decades.

> has a server. then I have three servers at the data center master and two
> read writes of whole tree. at the school level the login they are using
> they see everything in the left task pane. when I use the credentials they
> use the left task pane indicates no task or roles assigned and nothing is
> displayed. I am confused by this difference. or alternatively instructions
> on how to disable imanager would work also. I don't need it at the
> schools. any help would be appreciated.


The left task pane shows roles and tasks either assigned to the user
('Assigned' mode) or show everything to all users ('Unrestricted' mode).
Unrestricted mode can be forced, and I believe can be defined on a
per-iManager instance basis, so this could be normal. At the end of the
day, seeing roles and tasks does not mean you can do anything with them.

You may want to consider why you have so many instances of iManager as
well; many places will have two regardless of organization size, with
maybe a Workstation version as a backup on a main admin's computer.
Having one on every eDirectory box, or even at every site, is often a bit
overkill these days where network links are much better than they were
twenty-some years ago. Keep in mind, though, that merely uninstalling
iManager does not prevent users from getting their own version as
mentioned above.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

0 Likes
Knowledge Partner
Knowledge Partner

Re: question about visibility

On 04/19/2017 03:40 PM, CCPS wrote:
> Thanks for your responses. How would I disable the local school imanager
> instances? You are correct I don't need that many running around.


Stop the Apache Tomcat instance that runs iManager on those boxes, and
disable it so that it does not auto-start when runlevels change (e.g. on
reboot). The service may be named something like novell-tomcat8 or
novell-tomcat7 or something, or maybe even a lower number on really old boxes.


/etc/init.d/novell-tomcat8 stop
chkconfig novell-tomcat8 off


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: question about visibility

Great. Thanks. last question. Will that effect the iprint web page from
loading?

"ab" wrote in message
news:aeVJA.469$y_.103@novprvlin0913.provo.novell.com...

On 04/19/2017 03:40 PM, CCPS wrote:
> Thanks for your responses. How would I disable the local school imanager
> instances? You are correct I don't need that many running around.


Stop the Apache Tomcat instance that runs iManager on those boxes, and
disable it so that it does not auto-start when runlevels change (e.g. on
reboot). The service may be named something like novell-tomcat8 or
novell-tomcat7 or something, or maybe even a lower number on really old
boxes.


/etc/init.d/novell-tomcat8 stop
chkconfig novell-tomcat8 off


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

0 Likes
Knowledge Partner
Knowledge Partner

Re: question about visibility

If iPrint uses the same Apache Tomcat instance, yes. If that's the case,
you could just remove the iManager portion (nps and nps.war) from Tomcat
(while it is stopped) and then that means the code is gone, though again
this does not do anything to prevent anybody from accessing eDirectory via
their own version of iManager.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.