On 04/28/2014 05:16 PM, Simo Sorce wrote:
> On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote:
>>> I realized that you probably want to disable anonymous access to LDAP. It
>>> will prevent random strangers to enumerate all users in your database...
>>
>> This sounds like a bug no? anonymous access to LDAP?
> 
> Historically many Linux and Unix OSs did not authenticate to LDAP to
> download POSIX info, so we allow by default to access a lot of the tree
> anonymously.
> We are in the process of changing how the permissions work in 4.0, and
> will contextually close down a lot more of the tree letting the admin
> more easily configure access.
> 
> So, no it is not technically a bug, but it is something you want to look
> out for as an admin.
> 
> Simo.
> 

Let me just advertise the core feature of upcoming FreeIPA 4.0 which contains
re-design of ACIs and permissions in FreeIPA:

http://www.freeipa.org/page/V4/Permissions_V2

With this feature, it will be very easy to control visibility of different
parts of FreeIPA DIT - i.e. for example allow POSIX user attributes for
anonymous bot allow other attributes to authenticated only, same with groups,
HBAC rules, ...

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to