JR Aquino wrote:
On 1/20/11 10:05 AM, Rob Crittendenrcrit...@redhat.com wrote:
Simo Sorce wrote:
On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittendenrcrit...@redhat.com wrote:
+aci: (targetattr = member || memberOf || memberHost ||
memberUser)(version 3.0; acl No anonymous access to member
I think it is safe to give up member. It is necessary for nss_ldap and
nis.
If we remove member and add the role container I think that should cover
the low hanging fruit that discloses authorization data.
On 1/19/11 3:28 PM, Simo Sorce sso...@redhat.com wrote:
On Wed, 19 Jan 2011 17:51:56
Add a couple of acis to block anonymous access to cn=hbac and to member
attributes. This is so you can't hunt for what roles, groups, etc. a
user might be in (so you can target an attack).
ticket 811
rob
From b1d9409042946406b0354af17c9345c1bdf9ec0f Mon Sep 17 00:00:00 2001
From: Rob
On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittenden rcrit...@redhat.com wrote:
+aci: (targetattr = member || memberOf || memberHost ||
memberUser)(version 3.0; acl No anonymous access to member
information; deny (read,search,compare) userdn != ldap:///all;;)
Nack, without 'member', nss_ldap
