[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
Rob Crittenden
rcritten at redhat.com
Thu Jan 20 18:05:16 UTC 2011
Simo Sorce wrote:
> On Wed, 19 Jan 2011 17:51:56 -0500
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> +aci: (targetattr = "member || memberOf || memberHost ||
>> memberUser")(version 3.0; acl "No anonymous access to member
>> information"; deny (read,search,compare) userdn != "ldap:///all";)
>
> Nack, without 'member', nss_ldap will have no way to determine
> posixAccount group memberships using anonymous access (the default).
>
> Simo.
>
Ok, dropped member and added an aci for cn=roles.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-683-2-aci.patch
Type: text/x-patch
Size: 3872 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110120/7c44e870/attachment.bin>
More information about the Freeipa-devel
mailing list