On 03/01/14 20:33, Stephen Ingram wrote:
On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <d...@redhat.com
On 01/03/2014 12:50 PM, Will Sheldon wrote:
Thanks Petr, that certainly makes sense from the point of view of
I do think the default is sane, but there are a lot of possible
deployment scenarios and my concern is that a junior or time poor
admin looking to implement a trusted, secure solution should be
made aware of any potential data leakage during configuration,
(preferably in big red letters in the documentation, or better
still, the install script).
Though I am reluctant to draw comparisons between IPA and MS AD
they do seem inevitable. AD restricts anonymous binds to the
rootDSE entry by default and as such this may be considered by
many to be the expected default. Extra care should therefore be
made to point out this difference. To do otherwise risks
undermining the confidence of users in the security of the solution.
It is a double edge sword. We compared IPA to LDAP based solutions
and with those you have (had) anonymous bind enabled by default.
IMO it is the question of a migration. The field of centralized
authentication is crowded with all sorts of different solutions,
though not that integrated as AD or IdM.
It seems that migrating and then tightening security to the level
you need is the way to go. The default you suggest might be a
barrier to migration as people usually tackle problems one step at
I am not against changing the default eventually but I am not sure
it is the time to.
But may be I am wrong. Are there any opinions on the matter?
I think traditionally LDAP-based solutions have been used as true
directories where one might be able to search for people through say a
Web-based interface, for example at a university. Whereas AD can also
be deployed as a directory, but more often than not though say an
email Interface (e.g. Outlook) where the user has already gained
access via their own credentials so there was not a need to allow
anonymous binds. I like following the tradition of LDAP-based
directories where anonymous access is allowed by default, however, it
would be really nice as the OP requested to have controls available
via the WebUI where the admin could apply ACLs to the directory to
restrict access to various areas. As changing the overall access
scheme requires a directory restart, I'm not too sure how easy it
would be to incorporate that into the WebUI, but maybe a notice
somewhere to re-enforce the "open" nature of the directory if the
default is retained.
Not to start a flame war here - but I would like to say I disagree with
The traditional LDAP-based solutions you're mentioning keep information
that would be open to the public, such as a phone directory.
However IPA (like AD) keep sensitive information that should not be open
to the public. From a security standpoint it's much easier to forget to
secure a piece of information in an open directory, than to simply close
the directory off and only open for known entities. In my point of view,
it's better to keep these directories closed by default, to anything but
It's a great thing that IPA can easily be configured to either be open
or closed to anonymous requests by default. :)
Freeipa-users mailing list