On Fri, Jan 3, 2014 at 11:37 AM, Dmitri Pal <d...@redhat.com> wrote:

>  On 01/03/2014 02:33 PM, Stephen Ingram wrote:
> On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <d...@redhat.com> wrote:
>>  On 01/03/2014 12:50 PM, Will Sheldon wrote:
>>  Thanks Petr, that certainly makes sense from the point of view of
>> functionality.
>> I do think the default is sane, but there are a lot of possible
>> deployment scenarios and my concern is that a junior or time poor admin
>> looking to implement a trusted, secure solution should be made aware of any
>> potential data leakage during configuration, (preferably in big red letters
>> in the documentation, or better still, the install script).
>>  Though I am reluctant to draw comparisons between IPA and MS AD they do
>> seem inevitable. AD restricts anonymous binds to the rootDSE entry by
>> default and as such this may be considered by many to be the expected
>> default. Extra care should therefore be made to point out this difference.
>> To do otherwise risks undermining the confidence of users in the
>> security of the solution.
>> It is a double edge sword. We compared IPA to LDAP based solutions and
>> with those you have (had) anonymous bind enabled by default.
>> IMO it is the question of a migration. The field of centralized
>> authentication is crowded with all sorts of different solutions, though not
>> that integrated as AD or IdM.
>> It seems that migrating and then tightening security to the level you
>> need is the way to go. The default you suggest might be a barrier to
>> migration as people usually tackle problems one step at a time.
>> I am not against changing the default eventually but I am not sure it is
>> the time to.
>> But may be I am wrong. Are there any opinions on the matter?
>  I think traditionally LDAP-based solutions have been used as true
> directories where one might be able to search for people through say a
> Web-based interface, for example at a university. Whereas AD can also be
> deployed as a directory, but more often than not though say an email
> Interface (e.g. Outlook) where the user has already gained access via their
> own credentials so there was not a need to allow anonymous binds. I like
> following the tradition of LDAP-based directories where anonymous access is
> allowed by default, however, it would be really nice as the OP requested to
> have controls available via the WebUI where the admin could apply ACLs to
> the directory to restrict access to various areas. As changing the overall
> access scheme requires a directory restart, I'm not too sure how easy it
> would be to incorporate that into the WebUI, but maybe a notice somewhere
> to re-enforce the "open" nature of the directory if the default is retained.
>  Steve
> As it was mentioned there are two options. The anonymous bind can be
> globally disabled. IMO it is not a UI option it is a deployment option.
> The ability to create fine grain access control rules including read
> access are in works as Petr mentioned in the earlier email. Seems like we
> are covered or I am missing something?

Sounds good to me. I was just throwing in a comment on why I thought
anonymous bind is and should be the default behavior.

Freeipa-users mailing list

Reply via email to