On 04/18/2014 03:43 PM, Simo Sorce wrote: > On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote: >> This extends the "Anonymous read access to containers" ACI to cover >> cn=etc, as discussed in [0]. >> >> A new objectClass is added so we can exclude virtual ops with >> targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23). >> >> >> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html >> > > LGTM >
It works perfectly except one subtree we missed during initial review and which we should discuss: cn=replicas,cn=ipa,cn=etc,SUFFIX It contains list of replicas (not FreeIPA masters) connected to FreeIPA. Currently, this only affects Winsync replicas. I just verified that anonymous user can retrieve list of connected ADs via winsync. Question is, how to prevent it given that this is created dynamically also by older FreeIPA server and given that it has no special objectsclass to base a filtration on. Maybe we would need to add a deny ACI in this case after all? Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
