This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html

Additionally access is granted for $SUFFIX itself with targetfilter "(objectclass=domain)", and attributes objectclass, dc, info, nisDomain, associatedDomain.

These are raw ACIs, not permission-based ones.

From 6281a7159138d7c3bf024ed4ff370fe1193c5799 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 3 Apr 2014 12:40:48 +0200
Subject: [PATCH] Allow anonymous read access to containers

All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.

Also, $SUFFIX itself can now be read anonymously.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
 install/updates/20-aci.update | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 3f27eb84416f3869b65d424d10f46b1a8572dee9..e9e1fe9db4d9c594ae0485c6f7cec8a668a8ff92 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -16,3 +16,11 @@ dn: cn=computers,cn=accounts,$SUFFIX
 dn: cn=computers,cn=accounts,$SUFFIX
 add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
+# Read access to $SUFFIX itself
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
+# Read access to containers
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'

Freeipa-devel mailing list

Reply via email to