diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-03 12:40:48 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-04-08 10:34:16 +0200 |
commit | 0e659983a6454370021a748d7534cad9febd6cc1 (patch) | |
tree | 3c1f3cb727fe5fff0b4cd4a35b3c5bd1dff5619d /install/updates/20-aci.update | |
parent | 50a6316d16f3cb9fcdcab03a1f205a678e2fb154 (diff) | |
download | freeipa-0e659983a6454370021a748d7534cad9febd6cc1.tar.gz freeipa-0e659983a6454370021a748d7534cad9febd6cc1.tar.xz freeipa-0e659983a6454370021a748d7534cad9febd6cc1.zip |
Allow anonymous read access to containers
All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.
Also, $SUFFIX itself can now be read anonymously.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/20-aci.update')
-rw-r--r-- | install/updates/20-aci.update | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 3f27eb844..e9e1fe9db 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -16,3 +16,11 @@ add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their ow dn: cn=computers,cn=accounts,$SUFFIX add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)' + +# Read access to $SUFFIX itself +dn: $SUFFIX +add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)' + +# Read access to containers +dn: $SUFFIX +add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)' |