On 04/13/2011 08:26 PM, Stephen Ingram wrote:
> This question might be better posed on a general directory server
> list, however, as ipa obviously contains very sensitive data, I'm
> curious as to what ipa users think. Although ipa uses extensive acl's
> to shield the most important directory attributes from general view,
> it does allow anonymous access to many of the general entries. I
> notice that many directories do this to allow outside firms to view
> addressbook-type information of the company from their directories and
> referrals also depend on this functionality. I'm wondering though, if
> you have users from multiple domains in your directory with say name
> and email address information available, wouldn't this just be a
> free-for-all for some enterprising spammer or such? Or, if hosting dns
> from ipa, host records available to aid potential attackers to map
> network systems? Shouldn't this be controlled further in some
> instances and perhaps require at least a user bind (if not a TLS/SSL
> layer) to access this information?
I know that DS team has implemented the functionality to disallow
I just do not recall whether this functionality is already in the bits
used by ipa.
Nathan, can you help with this one?
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list