[Freeipa-users] allowing anonymous access to ipa directory
Stephen Ingram
sbingram at gmail.com
Thu Apr 14 00:26:15 UTC 2011
This question might be better posed on a general directory server
list, however, as ipa obviously contains very sensitive data, I'm
curious as to what ipa users think. Although ipa uses extensive acl's
to shield the most important directory attributes from general view,
it does allow anonymous access to many of the general entries. I
notice that many directories do this to allow outside firms to view
addressbook-type information of the company from their directories and
referrals also depend on this functionality. I'm wondering though, if
you have users from multiple domains in your directory with say name
and email address information available, wouldn't this just be a
free-for-all for some enterprising spammer or such? Or, if hosting dns
from ipa, host records available to aid potential attackers to map
network systems? Shouldn't this be controlled further in some
instances and perhaps require at least a user bind (if not a TLS/SSL
layer) to access this information?
Steve
More information about the Freeipa-users
mailing list