[Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

Dmitri Pal dpal at redhat.com
Fri Jan 3 19:37:55 UTC 2014 

On 01/03/2014 02:33 PM, Stephen Ingram wrote:
> On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 01/03/2014 12:50 PM, Will Sheldon wrote:
>>     Thanks Petr, that certainly makes sense from the point of view of
>>     functionality.
>>
>>     I do think the default is sane, but there are a lot of possible
>>     deployment scenarios and my concern is that a junior or time poor
>>     admin looking to implement a trusted, secure solution should be
>>     made aware of any potential data leakage during configuration,
>>     (preferably in big red letters in the documentation, or better
>>     still, the install script).
>>
>>     Though I am reluctant to draw comparisons between IPA and MS AD
>>     they do seem inevitable. AD restricts anonymous binds to the
>>     rootDSE entry by default and as such this may be considered by
>>     many to be the expected default. Extra care should therefore be
>>     made to point out this difference. To do otherwise risks
>>     undermining the confidence of users in the security of the solution.
>
>     It is a double edge sword. We compared IPA to LDAP based solutions
>     and with those you have (had) anonymous bind enabled by default.
>     IMO it is the question of a migration. The field of centralized
>     authentication is crowded with all sorts of different solutions,
>     though not that integrated as AD or IdM.
>     It seems that migrating and then tightening security to the level
>     you need is the way to go. The default you suggest might be a
>     barrier to migration as people usually tackle problems one step at
>     a time.
>     I am not against changing the default eventually but I am not sure
>     it is the time to.
>
>     But may be I am wrong. Are there any opinions on the matter?  
>
>
> I think traditionally LDAP-based solutions have been used as true
> directories where one might be able to search for people through say a
> Web-based interface, for example at a university. Whereas AD can also
> be deployed as a directory, but more often than not though say an
> email Interface (e.g. Outlook) where the user has already gained
> access via their own credentials so there was not a need to allow
> anonymous binds. I like following the tradition of LDAP-based
> directories where anonymous access is allowed by default, however, it
> would be really nice as the OP requested to have controls available
> via the WebUI where the admin could apply ACLs to the directory to
> restrict access to various areas. As changing the overall access
> scheme requires a directory restart, I'm not too sure how easy it
> would be to incorporate that into the WebUI, but maybe a notice
> somewhere to re-enforce the "open" nature of the directory if the
> default is retained.
>
> Steve
As it was mentioned there are two options. The anonymous bind can be
globally disabled. IMO it is not a UI option it is a deployment option.
The ability to create fine grain access control rules including read
access are in works as Petr mentioned in the earlier email. Seems like
we are covered or I am missing something?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140103/bd3bea30/attachment.htm>

More information about the Freeipa-users mailing list