[Freeipa-devel] [PATCHES] 0532-0533 Extend anonymous read ACI for containers
Martin Kosek
mkosek at redhat.com
Fri Apr 18 13:49:13 UTC 2014
On 04/18/2014 03:43 PM, Simo Sorce wrote:
> On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote:
>> This extends the "Anonymous read access to containers" ACI to cover
>> cn=etc, as discussed in [0].
>>
>> A new objectClass is added so we can exclude virtual ops with
>> targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23).
>>
>>
>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html
>>
>
> LGTM
>
It works perfectly except one subtree we missed during initial review and which
we should discuss:
cn=replicas,cn=ipa,cn=etc,SUFFIX
It contains list of replicas (not FreeIPA masters) connected to FreeIPA.
Currently, this only affects Winsync replicas.
I just verified that anonymous user can retrieve list of connected ADs via
winsync. Question is, how to prevent it given that this is created dynamically
also by older FreeIPA server and given that it has no special objectsclass to
base a filtration on.
Maybe we would need to add a deny ACI in this case after all?
Martin
More information about the Freeipa-devel
mailing list