On 04/28/2014 05:16 PM, Simo Sorce wrote: > On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote: >>> I realized that you probably want to disable anonymous access to LDAP. It >>> will prevent random strangers to enumerate all users in your database... >> >> This sounds like a bug no? anonymous access to LDAP? > > Historically many Linux and Unix OSs did not authenticate to LDAP to > download POSIX info, so we allow by default to access a lot of the tree > anonymously. > We are in the process of changing how the permissions work in 4.0, and > will contextually close down a lot more of the tree letting the admin > more easily configure access. > > So, no it is not technically a bug, but it is something you want to look > out for as an admin. > > Simo. >
Let me just advertise the core feature of upcoming FreeIPA 4.0 which contains re-design of ACIs and permissions in FreeIPA: http://www.freeipa.org/page/V4/Permissions_V2 With this feature, it will be very easy to control visibility of different parts of FreeIPA DIT - i.e. for example allow POSIX user attributes for anonymous bot allow other attributes to authenticated only, same with groups, HBAC rules, ... Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
