[Freeipa-users] Hardening freeipa on the internet
Martin Kosek
mkosek at redhat.com
Wed Apr 30 07:19:15 UTC 2014
On 04/28/2014 05:16 PM, Simo Sorce wrote:
> On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote:
>>> I realized that you probably want to disable anonymous access to LDAP. It
>>> will prevent random strangers to enumerate all users in your database...
>>
>> This sounds like a bug no? anonymous access to LDAP?
>
> Historically many Linux and Unix OSs did not authenticate to LDAP to
> download POSIX info, so we allow by default to access a lot of the tree
> anonymously.
> We are in the process of changing how the permissions work in 4.0, and
> will contextually close down a lot more of the tree letting the admin
> more easily configure access.
>
> So, no it is not technically a bug, but it is something you want to look
> out for as an admin.
>
> Simo.
>
Let me just advertise the core feature of upcoming FreeIPA 4.0 which contains
re-design of ACIs and permissions in FreeIPA:
http://www.freeipa.org/page/V4/Permissions_V2
With this feature, it will be very easy to control visibility of different
parts of FreeIPA DIT - i.e. for example allow POSIX user attributes for
anonymous bot allow other attributes to authenticated only, same with groups,
HBAC rules, ...
Martin
More information about the Freeipa-users
mailing list