On 04/28/2014 05:16 PM, Simo Sorce wrote:
> On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote:
>>> I realized that you probably want to disable anonymous access to LDAP. It
>>> will prevent random strangers to enumerate all users in your database...
>> This sounds like a bug no? anonymous access to LDAP?
> Historically many Linux and Unix OSs did not authenticate to LDAP to
> download POSIX info, so we allow by default to access a lot of the tree
> We are in the process of changing how the permissions work in 4.0, and
> will contextually close down a lot more of the tree letting the admin
> more easily configure access.
> So, no it is not technically a bug, but it is something you want to look
> out for as an admin.
Let me just advertise the core feature of upcoming FreeIPA 4.0 which contains
re-design of ACIs and permissions in FreeIPA:
With this feature, it will be very easy to control visibility of different
parts of FreeIPA DIT - i.e. for example allow POSIX user attributes for
anonymous bot allow other attributes to authenticated only, same with groups,
HBAC rules, ...
Freeipa-users mailing list