[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
Will Sheldon
mail at willsheldon.com
Fri Jan 3 01:23:58 UTC 2014
This is cause for concern. Is there a hardening / best practices for
production guide anywhere, did I miss a section of the documentation?
What else do I need to secure?
I understand that there is a tradeoff between security and compatibility,
but maybe there should be a ipa-secure script somewhere?
On Wed, Jan 1, 2014 at 10:41 AM, Jitse Klomp <jitseklomp at gmail.com> wrote:
> It is possible to disable anonymous binds to the directory server. Take a
> look at https://docs.fedoraproject.org/en-US/Fedora/18/html/
> FreeIPA_Guide/disabling-anon-binds.html
>
> - Jitse
>
>
>
> On 01/01/2014 07:01 PM, Rajnesh Kumar Siwal wrote:
>
>> It exposes the details of all the users/admins in the environment.
>> There should be a user that the IPA should use to fetch the details from
>> the IPA Servers. Without Authentication , no one should be able to fetch
>> any information from the IPA Server.
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Kind regards,
Will Sheldon
+1.(778)-689-4144
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140102/acc149be/attachment.htm>
More information about the Freeipa-users
mailing list