On 04/13/2011 08:26 PM, Stephen Ingram wrote: > This question might be better posed on a general directory server > list, however, as ipa obviously contains very sensitive data, I'm > curious as to what ipa users think. Although ipa uses extensive acl's > to shield the most important directory attributes from general view, > it does allow anonymous access to many of the general entries. I > notice that many directories do this to allow outside firms to view > addressbook-type information of the company from their directories and > referrals also depend on this functionality. I'm wondering though, if > you have users from multiple domains in your directory with say name > and email address information available, wouldn't this just be a > free-for-all for some enterprising spammer or such? Or, if hosting dns > from ipa, host records available to aid potential attackers to map > network systems? Shouldn't this be controlled further in some > instances and perhaps require at least a user bind (if not a TLS/SSL > layer) to access this information? I know that DS team has implemented the functionality to disallow anonymous bind. I just do not recall whether this functionality is already in the bits used by ipa. Nathan, can you help with this one?
> Steve > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
