-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/11/2014 05:20 AM, Michael Ströder wrote:
On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek
<jhrozek(a)redhat.com> wrote
> On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote:
>>> HBAC is very similar to this but already done for you.
>>>
>>>
http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-ho...
>>>
ccess >
>> Does it also disallow LDAP read access to
users/groups/sudoers
>> which are not allowed to login or to be used on a host?
>
> No, it's pure access control evaluated during the PAM access
> phase.
This means: If a server gets hacked the attacker can find out more
about the rest of the server infrastructure by queyring FreeIPA's
LDAP backend.
Client-side restrictions would do nothing to change this. If you want
to restrict what a particular client can see on the LDAP server, you
need to do that on the LDAP server itself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlO/vaQACgkQeiVVYja6o6PqIACcD24cBYcBOEINRK3outNibexF
EmYAn3Aoqu/uN1pMFi9TVqzJhJnTogHt
=bFis
-----END PGP SIGNATURE-----