[Freeipa-devel] [PATCH] 245 Forbid public access to DNS tree
Rob Crittenden
rcritten at redhat.com
Mon Apr 2 18:26:11 UTC 2012
Martin Kosek wrote:
> Test instructions are attached to ticket.
> --
> With a publicly accessible DNS tree in LDAP, anyone with an access
> to the LDAP server can get all DNS data as with a zone transfer
> which is already restricted with ACL. Making DNS tree not readable
> to public is a common security practice and should be applied
> in FreeIPA as well.
>
> This patch adds a new deny rule to forbid access to DNS tree to
> users or hosts without an appropriate permission or users which
> are not members of admins group. The new permission/aci is
> applied both for new installs and upgraded servers.
>
> bind-dyndb-ldap plugin is allowed to read DNS tree without any
> change because its principal is already a member of "DNS
> Servers" privilege.
>
> https://fedorahosted.org/freeipa/ticket/2569
ACK, pushed to master and ipa-2-2
More information about the Freeipa-devel
mailing list