On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
you would see that we only allow attributes we already expose to anonymous as
in the basic permission. So it is not that bad.
For users, yes. I assume we want the others to be authenticated only?
My point was that if we are hiding from anonymous access even the fact
that certain user or group exists, compat tree is the one where we were
leaking this information. Do we want to continue giving it out for
unauthenticated?
It is not about specific attributes but rather just the fact that
certain user or group exists.
Finally, sudo compat tree shouldn't be an issue as SSSD does use
authenticated access and native sudo.ldap plugin supports using bind DN.
The only issue is switching from unauthenticated 3.3 to authenticated
4.0.x where your existing clients using non-bound version will stop
authorizing sudo commands. And this issue is huge.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
