[Freeipa-devel] [PATCHES] 0532-0533 Extend anonymous read ACI for containers

Martin Kosek mkosek at redhat.com
Fri Apr 18 13:49:13 UTC 2014

On 04/18/2014 03:43 PM, Simo Sorce wrote:
> On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote:
>> This extends the "Anonymous read access to containers" ACI to cover 
>> cn=etc, as discussed in [0].
>> A new objectClass is added so we can exclude virtual ops with 
>> targetfilter: ipaVirtualOperation (2.16.840.1.113730.
>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html

It works perfectly except one subtree we missed during initial review and which
we should discuss:


It contains list of replicas (not FreeIPA masters) connected to FreeIPA.
Currently, this only affects Winsync replicas.

I just verified that anonymous user can retrieve list of connected ADs via
winsync. Question is, how to prevent it given that this is created dynamically
also by older FreeIPA server and given that it has no special objectsclass to
base a filtration on.

Maybe we would need to add a deny ACI in this case after all?


More information about the Freeipa-devel mailing list