On 09/24/2014 01:11 AM, Tommy McNeely wrote: > Hi all, > > I have seen the documentation on how to disable anonymous access > *completely* at > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html > > However, I think that those base rootdse queries are probably important. I > originally thought they only happened when running "ipa-client-install" but > some quick tailing of the access log indicates to me that they happen a lot. > > So, instead of flipping the big switch in cn=config, has anyone considered > just removing anonymous access to the *directory* data like:
Oh yes, "somebody" indeed considered another way! This was one of the core feature of FreeIPA 4.0 which removed ACI you mentioned and replaced it with set of very targeted Read ACIs so that admin will get a fine grained control who can read what. This is the feature page: http://www.freeipa.org/page/V4/Permissions_V2 This is where you can try the new version: http://www.freeipa.org/page/Downloads#Latest_Release_-_FreeIPA_4.0.3 HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project