I’m not too concerned on the default as long as the user is warned (or even maybe asked) at install time.
Kind regards, Will Sheldon +1.778-689-1244 On Monday, January 6, 2014 at 1:57 PM, Sigbjorn Lie wrote: > On 03/01/14 20:33, Stephen Ingram wrote: > > On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal <d...@redhat.com > > (mailto:d...@redhat.com)> wrote: > > > On 01/03/2014 12:50 PM, Will Sheldon wrote: > > > > Thanks Petr, that certainly makes sense from the point of view of > > > > functionality. > > > > > > > > I do think the default is sane, but there are a lot of possible > > > > deployment scenarios and my concern is that a junior or time poor admin > > > > looking to implement a trusted, secure solution should be made aware of > > > > any potential data leakage during configuration, (preferably in big red > > > > letters in the documentation, or better still, the install script). > > > > > > > > Though I am reluctant to draw comparisons between IPA and MS AD they do > > > > seem inevitable. AD restricts anonymous binds to the rootDSE entry by > > > > default and as such this may be considered by many to be the expected > > > > default. Extra care should therefore be made to point out this > > > > difference. To do otherwise risks undermining the confidence of users > > > > in the security of the solution. > > > > > > It is a double edge sword. We compared IPA to LDAP based solutions and > > > with those you have (had) anonymous bind enabled by default. > > > IMO it is the question of a migration. The field of centralized > > > authentication is crowded with all sorts of different solutions, though > > > not that integrated as AD or IdM. > > > It seems that migrating and then tightening security to the level you > > > need is the way to go. The default you suggest might be a barrier to > > > migration as people usually tackle problems one step at a time. > > > I am not against changing the default eventually but I am not sure it is > > > the time to. > > > > > > But may be I am wrong. Are there any opinions on the matter? > > > > I think traditionally LDAP-based solutions have been used as true > > directories where one might be able to search for people through say a > > Web-based interface, for example at a university. Whereas AD can also be > > deployed as a directory, but more often than not though say an email > > Interface (e.g. Outlook) where the user has already gained access via their > > own credentials so there was not a need to allow anonymous binds. I like > > following the tradition of LDAP-based directories where anonymous access is > > allowed by default, however, it would be really nice as the OP requested to > > have controls available via the WebUI where the admin could apply ACLs to > > the directory to restrict access to various areas. As changing the overall > > access scheme requires a directory restart, I'm not too sure how easy it > > would be to incorporate that into the WebUI, but maybe a notice somewhere > > to re-enforce the "open" nature of the directory if the default is > > retained. > > > > > > Not to start a flame war here - but I would like to say I disagree with you. > :) > > The traditional LDAP-based solutions you're mentioning keep information that > would be open to the public, such as a phone directory. > > However IPA (like AD) keep sensitive information that should not be open to > the public. From a security standpoint it's much easier to forget to secure a > piece of information in an open directory, than to simply close the directory > off and only open for known entities. In my point of view, it's better to > keep these directories closed by default, to anything but authenticated > requests. > > It's a great thing that IPA can easily be configured to either be open or > closed to anonymous requests by default. :) > > > Regards, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) > https://www.redhat.com/mailman/listinfo/freeipa-users > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
