[Freeipa-devel] Compat tree permissions
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 3 11:02:53 UTC 2014
On Wed, 03 Sep 2014, Martin Kosek wrote:
>On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
>> On Wed, 03 Sep 2014, Petr Viktorin wrote:
>>> On 09/03/2014 10:17 AM, Martin Kosek wrote:
>>> [...]
>>>>> Exposing the same data anonymously over compat tree when it is available
>>>>> only for authenticated users over primary tree isn't secure.
>>>>
>>>> If you check
>>>> cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>>> you would see that we only allow attributes we already expose to anonymous as
>>>> in the basic permission. So it is not that bad.
>>>
>>> For users, yes. I assume we want the others to be authenticated only?
>> My point was that if we are hiding from anonymous access even the fact
>> that certain user or group exists
>
>Are we?
I was under impression we've followed the change requested by some our
users to knock down anonymous access completely but I still see
# FIXME: We need to allow truly anonymous access only to NIS data for
# older clients. We need to allow broad access to most attributes only
# to authenticated users
in install/share/default-aci.ldif
Maybe it is time to do so?
>> 4.0.x where your existing clients using non-bound version will stop
>> authorizing sudo commands. And this issue is huge.
>
>Right, this affects Legacy clients feature, makes our ipa-advise insufficient.
Means we should improve the advices.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list