[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

Fri Jan 3 19:33:50 UTC 2014

On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 01/03/2014 12:50 PM, Will Sheldon wrote:
>
>  Thanks Petr, that certainly makes sense from the point of view of
> functionality.
>
> I do think the default is sane, but there are a lot of possible deployment
> scenarios and my concern is that a junior or time poor admin looking to
> implement a trusted, secure solution should be made aware of any potential
> data leakage during configuration, (preferably in big red letters in the
> documentation, or better still, the install script).
>
>  Though I am reluctant to draw comparisons between IPA and MS AD they do
> seem inevitable. AD restricts anonymous binds to the rootDSE entry by
> default and as such this may be considered by many to be the expected
> default. Extra care should therefore be made to point out this difference.
> To do otherwise risks undermining the confidence of users in the security
> of the solution.
>
>
> It is a double edge sword. We compared IPA to LDAP based solutions and
> with those you have (had) anonymous bind enabled by default.
> IMO it is the question of a migration. The field of centralized
> authentication is crowded with all sorts of different solutions, though not
> that integrated as AD or IdM.
> It seems that migrating and then tightening security to the level you need
> is the way to go. The default you suggest might be a barrier to migration
> as people usually tackle problems one step at a time.
> I am not against changing the default eventually but I am not sure it is
> the time to.
>
> But may be I am wrong. Are there any opinions on the matter?
>

I think traditionally LDAP-based solutions have been used as true
directories where one might be able to search for people through say a
Web-based interface, for example at a university. Whereas AD can also be
deployed as a directory, but more often than not though say an email
Interface (e.g. Outlook) where the user has already gained access via their
own credentials so there was not a need to allow anonymous binds. I like
following the tradition of LDAP-based directories where anonymous access is
allowed by default, however, it would be really nice as the OP requested to
have controls available via the WebUI where the admin could apply ACLs to
the directory to restrict access to various areas. As changing the overall
access scheme requires a directory restart, I'm not too sure how easy it
would be to incorporate that into the WebUI, but maybe a notice somewhere
to re-enforce the "open" nature of the directory if the default is retained.

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140103/f3bdacc6/attachment.htm>