[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
Dmitri Pal
dpal at redhat.com
Fri Jan 3 19:37:55 UTC 2014
On 01/03/2014 02:33 PM, Stephen Ingram wrote:
> On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 01/03/2014 12:50 PM, Will Sheldon wrote:
>> Thanks Petr, that certainly makes sense from the point of view of
>> functionality.
>>
>> I do think the default is sane, but there are a lot of possible
>> deployment scenarios and my concern is that a junior or time poor
>> admin looking to implement a trusted, secure solution should be
>> made aware of any potential data leakage during configuration,
>> (preferably in big red letters in the documentation, or better
>> still, the install script).
>>
>> Though I am reluctant to draw comparisons between IPA and MS AD
>> they do seem inevitable. AD restricts anonymous binds to the
>> rootDSE entry by default and as such this may be considered by
>> many to be the expected default. Extra care should therefore be
>> made to point out this difference. To do otherwise risks
>> undermining the confidence of users in the security of the solution.
>
> It is a double edge sword. We compared IPA to LDAP based solutions
> and with those you have (had) anonymous bind enabled by default.
> IMO it is the question of a migration. The field of centralized
> authentication is crowded with all sorts of different solutions,
> though not that integrated as AD or IdM.
> It seems that migrating and then tightening security to the level
> you need is the way to go. The default you suggest might be a
> barrier to migration as people usually tackle problems one step at
> a time.
> I am not against changing the default eventually but I am not sure
> it is the time to.
>
> But may be I am wrong. Are there any opinions on the matter?
>
>
> I think traditionally LDAP-based solutions have been used as true
> directories where one might be able to search for people through say a
> Web-based interface, for example at a university. Whereas AD can also
> be deployed as a directory, but more often than not though say an
> email Interface (e.g. Outlook) where the user has already gained
> access via their own credentials so there was not a need to allow
> anonymous binds. I like following the tradition of LDAP-based
> directories where anonymous access is allowed by default, however, it
> would be really nice as the OP requested to have controls available
> via the WebUI where the admin could apply ACLs to the directory to
> restrict access to various areas. As changing the overall access
> scheme requires a directory restart, I'm not too sure how easy it
> would be to incorporate that into the WebUI, but maybe a notice
> somewhere to re-enforce the "open" nature of the directory if the
> default is retained.
>
> Steve
As it was mentioned there are two options. The anonymous bind can be
globally disabled. IMO it is not a UI option it is a deployment option.
The ability to create fine grain access control rules including read
access are in works as Petr mentioned in the earlier email. Seems like
we are covered or I am missing something?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140103/bd3bea30/attachment.htm>
More information about the Freeipa-users
mailing list