[Freeipa-users] Disable Anonymous LDAP another way...
Tommy McNeely
tommythekid at gmail.com
Tue Sep 23 23:11:10 UTC 2014
Hi all,
I have seen the documentation on how to disable anonymous access
*completely* at
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
However, I think that those base rootdse queries are probably important. I
originally thought they only happened when running "ipa-client-install" but
some quick tailing of the access log indicates to me that they happen a lot.
So, instead of flipping the big switch in cn=config, has anyone considered
just removing anonymous access to the *directory* data like:
# Remove Anonymous Access to main directory
dn: dc=example,dc=com
changetype: modify
delete: aci
aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com")(targetatt
r != "userPassword || krbPrincipalKey || sambaLMPassword ||
sambaNTPassword |
| passwordHistory || krbMKey || userPKCS12 || ipaNTHash ||
ipaNTTrustAuthOutg
oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous
access";
allow (read, search, compare) userdn = "ldap:///anyone";)
Would that work without breaking things? Do we have any information on what
"broken" systems require anonymous LDAP binds and which ones do not?
Thanks in advance,
Tommy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/03be0639/attachment.htm>
More information about the Freeipa-users
mailing list