On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
you would see that we only allow attributes we already expose to anonymous as
in the basic permission. So it is not that bad.
For users, yes. I assume we want the others to be authenticated only?
My point was that if we are hiding from anonymous access even the fact
that certain user or group exists
Are we?
I was under impression we've followed the change requested by some our
users to knock down anonymous access completely but I still see
# FIXME: We need to allow truly anonymous access only to NIS data for
# older clients. We need to allow broad access to most attributes only
# to authenticated users
in install/share/default-aci.ldif
Maybe it is time to do so?
4.0.x where your existing clients using non-bound version will stop
authorizing sudo commands. And this issue is huge.
Right, this affects Legacy clients feature, makes our ipa-advise insufficient.
Means we should improve the advices.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
