[Freeipa-users] allowing anonymous access to ipa directory
Nathan Kinder
nkinder at redhat.com
Thu Apr 14 22:41:07 UTC 2011
On 04/13/2011 05:43 PM, Dmitri Pal wrote:
> On 04/13/2011 08:26 PM, Stephen Ingram wrote:
>> This question might be better posed on a general directory server
>> list, however, as ipa obviously contains very sensitive data, I'm
>> curious as to what ipa users think. Although ipa uses extensive acl's
>> to shield the most important directory attributes from general view,
>> it does allow anonymous access to many of the general entries. I
>> notice that many directories do this to allow outside firms to view
>> addressbook-type information of the company from their directories and
>> referrals also depend on this functionality. I'm wondering though, if
>> you have users from multiple domains in your directory with say name
>> and email address information available, wouldn't this just be a
>> free-for-all for some enterprising spammer or such? Or, if hosting dns
>> from ipa, host records available to aid potential attackers to map
>> network systems? Shouldn't this be controlled further in some
>> instances and perhaps require at least a user bind (if not a TLS/SSL
>> layer) to access this information?
> I know that DS team has implemented the functionality to disallow
> anonymous bind.
> I just do not recall whether this functionality is already in the bits
> used by ipa.
> Nathan, can you help with this one?
I believe you are referring to the nsslapd-allow-anonymous-access
setting in cn=config. This is set to "on" by default, but setting it to
"off" will deny access to anonymous users.
This was added in the 389-ds-base-1.2.7 timeframe if I recall correctly,
so it should be available for use by IPA.
>> Steve
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
More information about the Freeipa-users
mailing list