[Freeipa-users] allowing anonymous access to ipa directory
Dmitri Pal
dpal at redhat.com
Thu Apr 14 00:43:27 UTC 2011
On 04/13/2011 08:26 PM, Stephen Ingram wrote:
> This question might be better posed on a general directory server
> list, however, as ipa obviously contains very sensitive data, I'm
> curious as to what ipa users think. Although ipa uses extensive acl's
> to shield the most important directory attributes from general view,
> it does allow anonymous access to many of the general entries. I
> notice that many directories do this to allow outside firms to view
> addressbook-type information of the company from their directories and
> referrals also depend on this functionality. I'm wondering though, if
> you have users from multiple domains in your directory with say name
> and email address information available, wouldn't this just be a
> free-for-all for some enterprising spammer or such? Or, if hosting dns
> from ipa, host records available to aid potential attackers to map
> network systems? Shouldn't this be controlled further in some
> instances and perhaps require at least a user bind (if not a TLS/SSL
> layer) to access this information?
I know that DS team has implemented the functionality to disallow
anonymous bind.
I just do not recall whether this functionality is already in the bits
used by ipa.
Nathan, can you help with this one?
> Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list