[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
Rob Crittenden
rcritten at redhat.com
Mon Jan 24 19:33:34 UTC 2011
JR Aquino wrote:
> On 1/20/11 10:05 AM, "Rob Crittenden"<rcritten at redhat.com> wrote:
>> Simo Sorce wrote:
>>> On Wed, 19 Jan 2011 17:51:56 -0500
>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>
>>>> +aci: (targetattr = "member || memberOf || memberHost ||
>>>> memberUser")(version 3.0; acl "No anonymous access to member
>>>> information"; deny (read,search,compare) userdn != "ldap:///all";)
>>>
>>> Nack, without 'member', nss_ldap will have no way to determine
>>> posixAccount group memberships using anonymous access (the default).
>>>
>>> Simo.
>>>
>>
>> Ok, dropped member and added an aci for cn=roles.
>>
>> rob
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> ACK
>
pushed to master
More information about the Freeipa-devel
mailing list