Block anonymous access to HBAC, role and some member information.

Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.

ticket 811

1 files changed, 5 insertions, 0 deletions

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 79b5159da..9a96365d5 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -558,6 +558,11 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se
 dn: $SUFFIX
 changetype: modify
 add: aci
+aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
+
+dn: $SUFFIX
+changetype: modify
+add: aci
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)