-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/11/2014 05:20 AM, Michael Ströder wrote: > On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek > <[email protected]> wrote > >> On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote: >>>> HBAC is very similar to this but already done for you. >>>> >>>> > http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-host-a >>>> > ccess > >>> Does it also disallow LDAP read access to users/groups/sudoers >>> which are not allowed to login or to be used on a host? >> >> No, it's pure access control evaluated during the PAM access >> phase. > > This means: If a server gets hacked the attacker can find out more > about the rest of the server infrastructure by queyring FreeIPA's > LDAP backend. >
Client-side restrictions would do nothing to change this. If you want to restrict what a particular client can see on the LDAP server, you need to do that on the LDAP server itself. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO/vaQACgkQeiVVYja6o6PqIACcD24cBYcBOEINRK3outNibexF EmYAn3Aoqu/uN1pMFi9TVqzJhJnTogHt =bFis -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
