diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-29 21:46:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-26 12:14:55 +0200 |
commit | 193ced0bd7a9a26e7b25f08b023ee21302acaac7 (patch) | |
tree | 994ad23b37d49ab451f65c52a54e71901cc3aedc /install/updates/60-trusts.update | |
parent | 63becae88c6c270b98f0432dc474b661b82f3119 (diff) | |
download | freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.gz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.xz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.zip |
Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/60-trusts.update')
-rw-r--r-- | install/updates/60-trusts.update | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 77c2104ff..371bf656f 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -34,7 +34,6 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' -replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)' # Add the default PAC type to configuration dn: cn=ipaConfig,cn=etc,$SUFFIX |