I think it is safe to give up member. It is necessary for nss_ldap and nis.
If we remove member and add the role container I think that should cover the low hanging fruit that discloses authorization data. On 1/19/11 3:28 PM, "Simo Sorce" <[email protected]> wrote: >On Wed, 19 Jan 2011 17:51:56 -0500 >Rob Crittenden <[email protected]> wrote: > >> +aci: (targetattr = "member || memberOf || memberHost || >> memberUser")(version 3.0; acl "No anonymous access to member >> information"; deny (read,search,compare) userdn != "ldap:///all";;) > >Nack, without 'member', nss_ldap will have no way to determine >posixAccount group memberships using anonymous access (the default). > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > >_______________________________________________ >Freeipa-devel mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
