This question might be better posed on a general directory server list, however, as ipa obviously contains very sensitive data, I'm curious as to what ipa users think. Although ipa uses extensive acl's to shield the most important directory attributes from general view, it does allow anonymous access to many of the general entries. I notice that many directories do this to allow outside firms to view addressbook-type information of the company from their directories and referrals also depend on this functionality. I'm wondering though, if you have users from multiple domains in your directory with say name and email address information available, wouldn't this just be a free-for-all for some enterprising spammer or such? Or, if hosting dns from ipa, host records available to aid potential attackers to map network systems? Shouldn't this be controlled further in some instances and perhaps require at least a user bind (if not a TLS/SSL layer) to access this information?
Steve _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users