On Fri, 11 Jul 2014 06:34:12 -0400 Stephen Gallagher <[email protected]> wrote > On 07/11/2014 05:20 AM, Michael Ströder wrote: > > On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek > > <[email protected]> wrote > > > >> On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote: > >>>> HBAC is very similar to this but already done for you. > >>> Does it also disallow LDAP read access to users/groups/sudoers > >>> which are not allowed to login or to be used on a host? > >> > >> No, it's pure access control evaluated during the PAM access > >> phase. > > > > This means: If a server gets hacked the attacker can find out more > > about the rest of the server infrastructure by queyring FreeIPA's > > LDAP backend. > > Client-side restrictions would do nothing to change this.
Yes. > If you want > to restrict what a particular client can see on the LDAP server, you > need to do that on the LDAP server itself. That's exactly what I'm doing (as described in my prior posting). Ciao, Michael. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
