[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info
JR Aquino
JR.Aquino at citrix.com
Thu Jan 20 15:03:33 UTC 2011
I think it is safe to give up member. It is necessary for nss_ldap and
nis.
If we remove member and add the role container I think that should cover
the low hanging fruit that discloses authorization data.
On 1/19/11 3:28 PM, "Simo Sorce" <ssorce at redhat.com> wrote:
>On Wed, 19 Jan 2011 17:51:56 -0500
>Rob Crittenden <rcritten at redhat.com> wrote:
>
>> +aci: (targetattr = "member || memberOf || memberHost ||
>> memberUser")(version 3.0; acl "No anonymous access to member
>> information"; deny (read,search,compare) userdn != "ldap:///all";)
>
>Nack, without 'member', nss_ldap will have no way to determine
>posixAccount group memberships using anonymous access (the default).
>
>Simo.
>
>--
>Simo Sorce * Red Hat, Inc * New York
>
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list