diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-01-20 12:51:59 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-24 14:33:21 -0500 |
commit | 6e7729726f6e87dc117d284719d3f68833056a28 (patch) | |
tree | 0a279a7c2901353ca9b824aee049f132770272a5 /install | |
parent | 9319385c7e9b103b7fd16a5415e2c0317e3fb566 (diff) | |
download | freeipa-6e7729726f6e87dc117d284719d3f68833056a28.tar.gz freeipa-6e7729726f6e87dc117d284719d3f68833056a28.tar.xz freeipa-6e7729726f6e87dc117d284719d3f68833056a28.zip |
Block anonymous access to HBAC, role and some member information.
Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.
ticket 811
Diffstat (limited to 'install')
-rw-r--r-- | install/share/default-aci.ldif | 6 | ||||
-rw-r--r-- | install/share/delegation.ldif | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index ff0e5aec0..945b0bb31 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,6 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) @@ -67,3 +68,8 @@ dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + +dn: cn=hbac,$SUFFIX +changetype: modify +add: aci +aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";) diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 79b5159da..9a96365d5 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -558,6 +558,11 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se dn: $SUFFIX changetype: modify add: aci +aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) + +dn: $SUFFIX +changetype: modify +add: aci aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";) |