Re: [Freeipa-users] Disable Anonymous LDAP another way...
On 09/24/2014 01:49 AM, Tommy McNeely wrote: > DISREGARD! > > Sorry all, do not actually try my query, it makes authentication not work > at least on CentOS6. > > Here is the doc I actually read the first time: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html > (google search led me here) > ... which says to turn it off, while the one I linked above: > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html > says to set it to "rootdse" which allows the necessary access for detecting > configuration, but blocks access to directory data. > > I just mis-read it on the F18 docs. > > Sorry for the noise :) One more note - there is a related proposal wrt to upstream guide (as you probably noticed, you are referring to guide from Fedora 15/18 times: https://www.redhat.com/archives/freeipa-users/2014-September/msg00357.html Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable Anonymous LDAP another way...
On 09/24/2014 01:11 AM, Tommy McNeely wrote: > Hi all, > > I have seen the documentation on how to disable anonymous access > *completely* at > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html > > However, I think that those base rootdse queries are probably important. I > originally thought they only happened when running "ipa-client-install" but > some quick tailing of the access log indicates to me that they happen a lot. > > So, instead of flipping the big switch in cn=config, has anyone considered > just removing anonymous access to the *directory* data like: Oh yes, "somebody" indeed considered another way! This was one of the core feature of FreeIPA 4.0 which removed ACI you mentioned and replaced it with set of very targeted Read ACIs so that admin will get a fine grained control who can read what. This is the feature page: http://www.freeipa.org/page/V4/Permissions_V2 This is where you can try the new version: http://www.freeipa.org/page/Downloads#Latest_Release_-_FreeIPA_4.0.3 HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Disable Anonymous LDAP another way...
DISREGARD! Sorry all, do not actually try my query, it makes authentication not work at least on CentOS6. Here is the doc I actually read the first time: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html (google search led me here) ... which says to turn it off, while the one I linked above: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html says to set it to "rootdse" which allows the necessary access for detecting configuration, but blocks access to directory data. I just mis-read it on the F18 docs. Sorry for the noise :) On Tue, Sep 23, 2014 at 5:11 PM, Tommy McNeely wrote: > Hi all, > > I have seen the documentation on how to disable anonymous access > *completely* at > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html > > However, I think that those base rootdse queries are probably important. I > originally thought they only happened when running "ipa-client-install" but > some quick tailing of the access log indicates to me that they happen a lot. > > So, instead of flipping the big switch in cn=config, has anyone considered > just removing anonymous access to the *directory* data like: > > # Remove Anonymous Access to main directory > dn: dc=example,dc=com > changetype: modify > delete: aci > aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com";)(targetatt > r != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword | > | passwordHistory || krbMKey || userPKCS12 || ipaNTHash || > ipaNTTrustAuthOutg > oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous > access"; > allow (read, search, compare) userdn = "ldap:///anyone";;) > > > > Would that work without breaking things? Do we have any information on > what "broken" systems require anonymous LDAP binds and which ones do not? > > Thanks in advance, > Tommy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Disable Anonymous LDAP another way...
Hi all, I have seen the documentation on how to disable anonymous access *completely* at http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html However, I think that those base rootdse queries are probably important. I originally thought they only happened when running "ipa-client-install" but some quick tailing of the access log indicates to me that they happen a lot. So, instead of flipping the big switch in cn=config, has anyone considered just removing anonymous access to the *directory* data like: # Remove Anonymous Access to main directory dn: dc=example,dc=com changetype: modify delete: aci aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com";)(targetatt r != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword | | passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutg oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;) Would that work without breaking things? Do we have any information on what "broken" systems require anonymous LDAP binds and which ones do not? Thanks in advance, Tommy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project