From 0e659983a6454370021a748d7534cad9febd6cc1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 3 Apr 2014 12:40:48 +0200
Subject: Allow anonymous read access to containers

All nsContainer objects, except ones in cn=etc, can now be read anonymously.
The allowed attributes are cn and objectclass.
These are the same in all IPA installations so they don't provide
any sensitive information.

Also, $SUFFIX itself can now be read anonymously.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/updates/20-aci.update | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'install/updates')

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 3f27eb844..e9e1fe9db 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -16,3 +16,11 @@ add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their ow
 
 dn: cn=computers,cn=accounts,$SUFFIX
 add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
+
+# Read access to $SUFFIX itself
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+
+# Read access to containers
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'
-- 
cgit