[Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI
Dmitri Pal
dpal at redhat.com
Thu Nov 21 20:54:00 UTC 2013
On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
>> The password can be retrieved with radiusproxy-show --all, because it is
>> > not blocked by LDAP ACIs. Is that intended?
> Yes. But I'm torn as to whether or not this is a good idea. Regular
> users can't see radius proxy servers at all. Admins can see all
> attributes.
>
> It is common in radius server deployments to have a text file readable
> by root with the radius secret. The current LDAP policy replicates this
> "expected" behavior. It may be wise to block all reads of the secret
> though. I'm open to suggestions.
>
If it is readable by admin only I would leave it as is for now and
address later when we redo ACIs.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list