Hi all, I have seen the documentation on how to disable anonymous access *completely* at http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
However, I think that those base rootdse queries are probably important. I originally thought they only happened when running "ipa-client-install" but some quick tailing of the access log indicates to me that they happen a lot. So, instead of flipping the big switch in cn=config, has anyone considered just removing anonymous access to the *directory* data like: # Remove Anonymous Access to main directory dn: dc=example,dc=com changetype: modify delete: aci aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com";)(targetatt r != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword | | passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutg oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;) Would that work without breaking things? Do we have any information on what "broken" systems require anonymous LDAP binds and which ones do not? Thanks in advance, Tommy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
