On Fri, Jan 3, 2014 at 11:37 AM, Dmitri Pal <d...@redhat.com> wrote: > On 01/03/2014 02:33 PM, Stephen Ingram wrote: > > On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <d...@redhat.com> wrote: > >> On 01/03/2014 12:50 PM, Will Sheldon wrote: >> >> Thanks Petr, that certainly makes sense from the point of view of >> functionality. >> >> I do think the default is sane, but there are a lot of possible >> deployment scenarios and my concern is that a junior or time poor admin >> looking to implement a trusted, secure solution should be made aware of any >> potential data leakage during configuration, (preferably in big red letters >> in the documentation, or better still, the install script). >> >> Though I am reluctant to draw comparisons between IPA and MS AD they do >> seem inevitable. AD restricts anonymous binds to the rootDSE entry by >> default and as such this may be considered by many to be the expected >> default. Extra care should therefore be made to point out this difference. >> To do otherwise risks undermining the confidence of users in the >> security of the solution. >> >> >> It is a double edge sword. We compared IPA to LDAP based solutions and >> with those you have (had) anonymous bind enabled by default. >> IMO it is the question of a migration. The field of centralized >> authentication is crowded with all sorts of different solutions, though not >> that integrated as AD or IdM. >> It seems that migrating and then tightening security to the level you >> need is the way to go. The default you suggest might be a barrier to >> migration as people usually tackle problems one step at a time. >> I am not against changing the default eventually but I am not sure it is >> the time to. >> >> But may be I am wrong. Are there any opinions on the matter? >> > > I think traditionally LDAP-based solutions have been used as true > directories where one might be able to search for people through say a > Web-based interface, for example at a university. Whereas AD can also be > deployed as a directory, but more often than not though say an email > Interface (e.g. Outlook) where the user has already gained access via their > own credentials so there was not a need to allow anonymous binds. I like > following the tradition of LDAP-based directories where anonymous access is > allowed by default, however, it would be really nice as the OP requested to > have controls available via the WebUI where the admin could apply ACLs to > the directory to restrict access to various areas. As changing the overall > access scheme requires a directory restart, I'm not too sure how easy it > would be to incorporate that into the WebUI, but maybe a notice somewhere > to re-enforce the "open" nature of the directory if the default is retained. > > Steve > > As it was mentioned there are two options. The anonymous bind can be > globally disabled. IMO it is not a UI option it is a deployment option. > The ability to create fine grain access control rules including read > access are in works as Petr mentioned in the earlier email. Seems like we > are covered or I am missing something? >
Sounds good to me. I was just throwing in a comment on why I thought anonymous bind is and should be the default behavior. Steve
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
