[Freeipa-users] Disable Anonymous LDAP another way...
Tommy McNeely
tommythekid at gmail.com
Tue Sep 23 23:49:18 UTC 2014
DISREGARD!
Sorry all, do not actually try my query, it makes authentication not work
at least on CentOS6.
Here is the doc I actually read the first time:
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html
(google search led me here)
... which says to turn it off, while the one I linked above:
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
says to set it to "rootdse" which allows the necessary access for detecting
configuration, but blocks access to directory data.
I just mis-read it on the F18 docs.
Sorry for the noise :)
On Tue, Sep 23, 2014 at 5:11 PM, Tommy McNeely <tommythekid at gmail.com>
wrote:
> Hi all,
>
> I have seen the documentation on how to disable anonymous access
> *completely* at
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
>
> However, I think that those base rootdse queries are probably important. I
> originally thought they only happened when running "ipa-client-install" but
> some quick tailing of the access log indicates to me that they happen a lot.
>
> So, instead of flipping the big switch in cn=config, has anyone considered
> just removing anonymous access to the *directory* data like:
>
> # Remove Anonymous Access to main directory
> dn: dc=example,dc=com
> changetype: modify
> delete: aci
> aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com")(targetatt
> r != "userPassword || krbPrincipalKey || sambaLMPassword ||
> sambaNTPassword |
> | passwordHistory || krbMKey || userPKCS12 || ipaNTHash ||
> ipaNTTrustAuthOutg
> oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous
> access";
> allow (read, search, compare) userdn = "ldap:///anyone";)
>
>
>
> Would that work without breaking things? Do we have any information on
> what "broken" systems require anonymous LDAP binds and which ones do not?
>
> Thanks in advance,
> Tommy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/dc86e00a/attachment.htm>
More information about the Freeipa-users
mailing list