[Fedora-directory-users] TLS authentication
Pete Rowley
prowley at redhat.com
Tue Aug 8 20:11:16 UTC 2006
Adams Samuel D Contr AFRL/HEDR wrote:
>I also have two medium vulnerabilities the keep popping up with ISS that
>I need to resolve but can't seem to find the proper configuration in the
>admin console.
>
>" LDAP NullBind: LDAP anonymous access to directory
>
>
>
>
...
>" LDAP Schema: LDAP schema information gathering
>
>
>
In addition to the other posters comments I would point out that with
zero access control configured in the DS nobody but the directory
manager can do anything - zero access by default. The best method of
securing the server is to start with that blank sheet and selectively
enable targeted operations for targeted users/groups on targeted sets of
entries. For example, your requirement is that pam operates: add the aci
that makes that happen and no more. The default aci's added on install
should be treated as examples only that just happen to be suitable for
casual evaluation.
Most deployments can get away with very few aci's in order to enforce
their policy. Adding aci's when something is found not to work correctly
due to insufficient access is a lot less painful than the ramifications
of overly broad grants of access.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060808/c3809c44/attachment.bin>
More information about the 389-users
mailing list