Allow anonymous read access to containers

All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.

Also, $SUFFIX itself can now be read anonymously.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 3f27eb844..e9e1fe9db 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -16,3 +16,11 @@ add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their ow
 
 dn: cn=computers,cn=accounts,$SUFFIX
 add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
+
+# Read access to $SUFFIX itself
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+
+# Read access to containers
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'