[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
Petr Viktorin
pviktori at redhat.com
Fri Jan 3 12:53:13 UTC 2014
On 01/03/2014 02:23 AM, Will Sheldon wrote:
>
> This is cause for concern. Is there a hardening / best practices for
> production guide anywhere, did I miss a section of the documentation?
>
> What else do I need to secure?
>
> I understand that there is a tradeoff between security and
> compatibility, but maybe there should be a ipa-secure script somewhere?
We are working on making the read permissions granular, so you can make
your own tradeoffs if IPA defaults aren't appropriate for your use.
The work is tracked in https://fedorahosted.org/freeipa/ticket/3566 and
linked tickets 4032-4034.
> On Wed, Jan 1, 2014 at 10:41 AM, Jitse Klomp <jitseklomp at gmail.com
> <mailto:jitseklomp at gmail.com>> wrote:
>
> It is possible to disable anonymous binds to the directory server.
> Take a look at
> https://docs.fedoraproject.__org/en-US/Fedora/18/html/__FreeIPA_Guide/disabling-anon-__binds.html
> <https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html>
>
> - Jitse
>
>
>
> On 01/01/2014 07:01 PM, Rajnesh Kumar Siwal wrote:
>
> It exposes the details of all the users/admins in the environment.
> There should be a user that the IPA should use to fetch the
> details from
> the IPA Servers. Without Authentication , no one should be able
> to fetch
> any information from the IPA Server.
--
Petr³
More information about the Freeipa-users
mailing list