On Fri, 11 Jul 2014 14:08:27 +0200 Jakub Hrozek <jhrozek(a)redhat.com> wrote
On Fri, Jul 11, 2014 at 11:20:25AM +0200, Michael Ströder wrote:
> On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek <jhrozek(a)redhat.com> wrote
>
> > On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote:
> > > > HBAC is very similar to this but already done for you.
> > > >
> > > >
>
>
http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-ho...
> > > > ccess >
> > > Does it also disallow LDAP read access to users/groups/sudoers which
> > are > not allowed to login or to be used on a host?
> >
> > No, it's pure access control evaluated during the PAM access phase.
>
> This means: If a server gets hacked the attacker can find out more about
> the rest of the server infrastructure by queyring FreeIPA's LDAP backend.
I think this is more generic attack vector than just reading the info
from LDAP. If the attacker gains control over an IPA client, they can
impersonate the host completely, because they have access to the host
keytab..
bottom line -- set up sane ACIs :-)
Yes, my ACLs limit what a server or service can see:
Only the users, groups and sudoers rules it really needs.
Somewhat the "side effect" of this is the authorization who can logon where...
;-)
Ciao, Michael.