On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek <[email protected]> wrote
> On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote: > > > HBAC is very similar to this but already done for you. > > > > > > http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-host-a > > > ccess > > > Does it also disallow LDAP read access to users/groups/sudoers which are > > not allowed to login or to be used on a host? > > No, it's pure access control evaluated during the PAM access phase. This means: If a server gets hacked the attacker can find out more about the rest of the server infrastructure by queyring FreeIPA's LDAP backend. Ciao, Michael. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
