Allow anonymous read access to containers

All nsContainer objects, except ones in cn=etc, can now be read anonymously. The allowed attributes are cn and objectclass. These are the same in all IPA installations so they don't provide any sensitive information. Also, $SUFFIX itself can now be read anonymously. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-04-03 12:40:48 +02:00
parent 50a6316d16
commit 0e659983a6
1 changed files with 8 additions and 0 deletions
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -16,3 +16,11 @@ add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their ow

 dn: cn=computers,cn=accounts,$SUFFIX
 add:aci:'(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other host SSH public keys"; allow(write) userattr = "parent[0,1].managedby#USERDN";)'
+
+# Read access to $SUFFIX itself
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)'
+
+# Read access to containers
+dn: $SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)'