On 04/13/2011 05:43 PM, Dmitri Pal wrote:
On 04/13/2011 08:26 PM, Stephen Ingram wrote:
This question might be better posed on a general directory server
list, however, as ipa obviously contains very sensitive data, I'm
curious as to what ipa users think. Although ipa uses extensive acl's
to shield the most important directory attributes from general view,
it does allow anonymous access to many of the general entries. I
notice that many directories do this to allow outside firms to view
addressbook-type information of the company from their directories and
referrals also depend on this functionality. I'm wondering though, if
you have users from multiple domains in your directory with say name
and email address information available, wouldn't this just be a
free-for-all for some enterprising spammer or such? Or, if hosting dns
from ipa, host records available to aid potential attackers to map
network systems? Shouldn't this be controlled further in some
instances and perhaps require at least a user bind (if not a TLS/SSL
layer) to access this information?
I know that DS team has implemented the functionality to disallow
anonymous bind.
I just do not recall whether this functionality is already in the bits
used by ipa.
Nathan, can you help with this one?
I believe you are referring to the nsslapd-allow-anonymous-access setting in cn=config. This is set to "on" by default, but setting it to "off" will deny access to anonymous users.

This was added in the 389-ds-base-1.2.7 timeframe if I recall correctly, so it should be available for use by IPA.
Steve

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to