DISREGARD! Sorry all, do not actually try my query, it makes authentication not work at least on CentOS6.
Here is the doc I actually read the first time: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html (google search led me here) ... which says to turn it off, while the one I linked above: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html says to set it to "rootdse" which allows the necessary access for detecting configuration, but blocks access to directory data. I just mis-read it on the F18 docs. Sorry for the noise :) On Tue, Sep 23, 2014 at 5:11 PM, Tommy McNeely <[email protected]> wrote: > Hi all, > > I have seen the documentation on how to disable anonymous access > *completely* at > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html > > However, I think that those base rootdse queries are probably important. I > originally thought they only happened when running "ipa-client-install" but > some quick tailing of the access log indicates to me that they happen a lot. > > So, instead of flipping the big switch in cn=config, has anyone considered > just removing anonymous access to the *directory* data like: > > # Remove Anonymous Access to main directory > dn: dc=example,dc=com > changetype: modify > delete: aci > aci: (target != "ldap:///idnsname=*,cn=dns,dc=example,dc=com";)(targetatt > r != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword | > | passwordHistory || krbMKey || userPKCS12 || ipaNTHash || > ipaNTTrustAuthOutg > oing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous > access"; > allow (read, search, compare) userdn = "ldap:///anyone";;) > > > > Would that work without breaking things? Do we have any information on > what "broken" systems require anonymous LDAP binds and which ones do not? > > Thanks in advance, > Tommy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
