diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2013-01-22 17:06:04 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 15:31:48 -0500 |
| commit | d5966bde802d8ef84c202a3e7c85f17b9e305a30 (patch) | |
| tree | 35fa24c139750e6398d2760df8f9ea33c99e6dcd /install/share/default-aci.ldif | |
| parent | 31e41eea6c2322689826e6065ceba82551c565aa (diff) | |
| download | freeipa-d5966bde802d8ef84c202a3e7c85f17b9e305a30.tar.gz freeipa-d5966bde802d8ef84c202a3e7c85f17b9e305a30.tar.xz freeipa-d5966bde802d8ef84c202a3e7c85f17b9e305a30.zip | |
Update anonymous access ACI to protect secret attributes.
Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.
Diffstat (limited to 'install/share/default-aci.ldif')
| -rw-r--r-- | install/share/default-aci.ldif | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index f3ed39599..3e6c10077 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,7 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) |