From 6e7729726f6e87dc117d284719d3f68833056a28 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Jan 2011 12:51:59 -0500
Subject: Block anonymous access to HBAC, role and some member information.

Prevents an unauthenticated user from accessing HBAC and role
information as well as memberof which could disclose roles,
memberships in HBAC, etc.

ticket 811
---
 install/share/default-aci.ldif | 6 ++++++
 install/share/delegation.ldif  | 5 +++++
 2 files changed, 11 insertions(+)

(limited to 'install/share')

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ff0e5aec..945b0bb3 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,6 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
@@ -67,3 +68,8 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+
+dn: cn=hbac,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 79b5159d..9a96365d 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -555,6 +555,11 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se
 
 # Delegation administration
 
+dn: $SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
+
 dn: $SUFFIX
 changetype: modify
 add: aci
-- 
cgit