On Fri, 11 Jul 2014 06:34:12 -0400 Stephen Gallagher <sgallagh(a)redhat.com>
wrote
On 07/11/2014 05:20 AM, Michael Ströder wrote:
> On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek
> <jhrozek(a)redhat.com> wrote
>
>> On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote:
>>>> HBAC is very similar to this but already done for you.
>>> Does it also disallow LDAP read access to users/groups/sudoers
>>> which are not allowed to login or to be used on a host?
>>
>> No, it's pure access control evaluated during the PAM access
>> phase.
>
> This means: If a server gets hacked the attacker can find out more
> about the rest of the server infrastructure by queyring FreeIPA's
> LDAP backend.
Client-side restrictions would do nothing to change this.
Yes.
If you want
to restrict what a particular client can see on the LDAP server, you
need to do that on the LDAP server itself.
That's exactly what I'm doing (as described in my prior posting).
Ciao, Michael.