Tuesday, December 14, 2021

[389-users] Bind ACI


     I found recently users who dont have modern machines are binding
against our 389 machines without tls or ssl. I dont know if what I want
is reasonable, but I want people to still be able to do some simple
searches anonymously without ssl (I think that it is how some of the pam
modules I have seen work, where it searches for the dn, then binds), but
when a user binds with an actual user dn I want them to bind with
authmethod=ssl. I am worried the users binding without ssl, are
revealing their hash to anyone on the network.

What do you guys think? Is my worry accurate, and if it is, can you help
me articulate the aci's below?

aci: (version 3.0; acl "anonymous-read-search"; allow (read,search)
userdn="ldap://anyone" )

aci: (version 3.0; acl "force auth-method"; allow (read) authmethod =

I still want my accounts that have write permissions to be able to write
though as well, so should that be (read,write)?.

Thanks so much for your advise and help.


389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment