[Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2

[Simo Sorce]

On Fri, 2013-03-22 at 15:20 +0100, Jan-Frode Myklebust wrote:
> On Fri, Mar 22, 2013 at 09:59:14AM -0400, Dmitri Pal wrote:
> 
> > Because anonymous binds are rightly turned off by default,
> 
> They are? I don't think I've ever explicitly turned on anonymous binds,
> and my directories are open to anonymous searches. The confusing thing is
> that not all attributes are available when doing anonymous binds. Are
> there any way to configure how open we want the directory to be?
> 
> > The best would have been for apache to support GSSAPI for that matter
> > but based on the link you sent this is not the case.
> > IMO you should file and RFE for them to support GSSAPI bind and not only
> > bind with the password.
> 
> Newer apache supports nested groups, and all the needed attributes for
> that seems to be available trough anonymous binds.. so no GSSAPI is
> needed (for us) there.

Using SSSD would probably be a better bet, you get caching for free and
*much* lower latency when stuff is in the mmap cache.

> IMHO it's seems inconsistent that memberOf attribute is hidden for anonymous
> searches on the user, but "member" attribute on groups is not. Same
> information, different places in the tree.

The reason we suppress memberof is that we use grouping for more than
just posix groups memberships.
We use it also for delegation, HBAC, Roles and sudo rules, so to avoid
leaking information about privileges a user may have it was decided to
block memberof for unauthenticated binds.

The reasoning was that clients that can take correctly advantage of
freeipa's memberof can also authenticate in a secure way.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York