Petr Spacek from Red Hat found that FreeIPA versions 4.0+ are affected by information disclosure bug which allows
unauthenticated attacker to read all data (including plain-text passwords and
some types of keys) which were stored to the LDAP database in last two days
prior the attack.

For example, if a user changed his password on 2014-11-25 then anyone can
retrieve his plain-text password up to 2014-11-27. This bug affects FreeIPA
installation process too so password for admin user is also available.

Original report below:
...
Products affected
=================
RHEL 7.1 (including High-touch beta)
Fedora 21
Older versions are not affected.

Cause
=====
389 DS implements RFC 4533 protocol which internally uses 'changelog'
mechanism to detect which entries were changed from the last synchronization.
Changelog basically logs all writes to LDAP database in plain-text. FreeIPA
configures the changelog plug-in to store data for two days.

This changelog is exposed as LDAP sub-tree 'cn=changelog' and it has default
Access Control Instruction set to:
(target ="ldap:///cn=changelog")(targetattr != "aci")(version 3.0; acl
"changelog base"; allow( read,search, compare ) userdn ="ldap:///anyone";)

According to [1] the 'userdn ="ldap:///anyone"' allows access to
unauthenticated (anonymous) users.

Mitigation
==========
This needs to be consulted with 389 DS team.

IMHO the best approach would be to eliminate changelog or significantly limit
amount of data stored into it.

Alternative/quick&dirty approach would be to tighten the ACI. I have tried to
change "anyone" to "nobody" and it seems that no user is able to read
cn=changelog directly but RFC 4533 protocol still seems to work. I have tried
to remove the ACI completely and it yielded the same result - even "admin"
user was not able to read the changelog.