summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-04-02 14:57:33 +0200
committerRob Crittenden <rcritten@redhat.com>2012-04-01 21:17:04 -0400
commitdf13cdcb974e9f8b161be35fcef9651c2ffe0b5e (patch)
tree6c3e7ee8be605e4c37998ecdedca40f7da184c5e /ipalib/plugins
parent874a298b073997ec6b1e5a119210c7f0975aed18 (diff)
downloadfreeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.tar.gz
freeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.tar.xz
freeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.zip
Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
Diffstat (limited to 'ipalib/plugins')
0 files changed, 0 insertions, 0 deletions
generated by cgit (git 2.34.1) at 2024-11-16 11:18:35 +0000