I’m not too concerned on the default as long as the user is warned (or even
maybe asked) at install time.
On Monday, January 6, 2014 at 1:57 PM, Sigbjorn Lie wrote:
> On 03/01/14 20:33, Stephen Ingram wrote:
> > On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <d...@redhat.com
> > (mailto:d...@redhat.com)> wrote:
> > > On 01/03/2014 12:50 PM, Will Sheldon wrote:
> > > > Thanks Petr, that certainly makes sense from the point of view of
> > > > functionality.
> > > >
> > > > I do think the default is sane, but there are a lot of possible
> > > > deployment scenarios and my concern is that a junior or time poor admin
> > > > looking to implement a trusted, secure solution should be made aware of
> > > > any potential data leakage during configuration, (preferably in big red
> > > > letters in the documentation, or better still, the install script).
> > > >
> > > > Though I am reluctant to draw comparisons between IPA and MS AD they do
> > > > seem inevitable. AD restricts anonymous binds to the rootDSE entry by
> > > > default and as such this may be considered by many to be the expected
> > > > default. Extra care should therefore be made to point out this
> > > > difference. To do otherwise risks undermining the confidence of users
> > > > in the security of the solution.
> > >
> > > It is a double edge sword. We compared IPA to LDAP based solutions and
> > > with those you have (had) anonymous bind enabled by default.
> > > IMO it is the question of a migration. The field of centralized
> > > authentication is crowded with all sorts of different solutions, though
> > > not that integrated as AD or IdM.
> > > It seems that migrating and then tightening security to the level you
> > > need is the way to go. The default you suggest might be a barrier to
> > > migration as people usually tackle problems one step at a time.
> > > I am not against changing the default eventually but I am not sure it is
> > > the time to.
> > >
> > > But may be I am wrong. Are there any opinions on the matter?
> > I think traditionally LDAP-based solutions have been used as true
> > directories where one might be able to search for people through say a
> > Web-based interface, for example at a university. Whereas AD can also be
> > deployed as a directory, but more often than not though say an email
> > Interface (e.g. Outlook) where the user has already gained access via their
> > own credentials so there was not a need to allow anonymous binds. I like
> > following the tradition of LDAP-based directories where anonymous access is
> > allowed by default, however, it would be really nice as the OP requested to
> > have controls available via the WebUI where the admin could apply ACLs to
> > the directory to restrict access to various areas. As changing the overall
> > access scheme requires a directory restart, I'm not too sure how easy it
> > would be to incorporate that into the WebUI, but maybe a notice somewhere
> > to re-enforce the "open" nature of the directory if the default is
> > retained.
> Not to start a flame war here - but I would like to say I disagree with you.
> The traditional LDAP-based solutions you're mentioning keep information that
> would be open to the public, such as a phone directory.
> However IPA (like AD) keep sensitive information that should not be open to
> the public. From a security standpoint it's much easier to forget to secure a
> piece of information in an open directory, than to simply close the directory
> off and only open for known entities. In my point of view, it's better to
> keep these directories closed by default, to anything but authenticated
> It's a great thing that IPA can easily be configured to either be open or
> closed to anonymous requests by default. :)
> Freeipa-users mailing list
> Freeipafirstname.lastname@example.org (mailto:Freeipaemail@example.com)
Freeipa-users mailing list