Simo Sorce wrote:
On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittenden<[email protected]> wrote:
+aci: (targetattr = "member || memberOf || memberHost ||
memberUser")(version 3.0; acl "No anonymous access to member
information"; deny (read,search,compare) userdn != "ldap:///all";;)
Nack, without 'member', nss_ldap will have no way to determine
posixAccount group memberships using anonymous access (the default).
Simo.
Ok, dropped member and added an aci for cn=roles.
rob
>From ac8849bbff031222543588d3f6068a3b75843bec Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Thu, 20 Jan 2011 12:51:59 -0500
Subject: [PATCH] Block anonymous access to HBAC, role and some member information.
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.
ticket 811
---
install/share/default-aci.ldif | 6 ++++++
install/share/delegation.ldif | 5 +++++
2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ff0e5ae..945b0bb 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,6 +4,7 @@ dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
+aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
@@ -67,3 +68,8 @@ dn: cn=computers,cn=accounts,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+
+dn: cn=hbac,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 79b5159..9a96365 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -558,6 +558,11 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se
dn: $SUFFIX
changetype: modify
add: aci
+aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";;)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";;)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";;)
--
1.7.3.4
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
