[Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI
Simo Sorce
simo at redhat.com
Wed Nov 27 14:34:14 UTC 2013
On Thu, 2013-11-21 at 15:54 -0500, Dmitri Pal wrote:
> On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
> >> The password can be retrieved with radiusproxy-show --all, because it is
> >> > not blocked by LDAP ACIs. Is that intended?
> > Yes. But I'm torn as to whether or not this is a good idea. Regular
> > users can't see radius proxy servers at all. Admins can see all
> > attributes.
> >
> > It is common in radius server deployments to have a text file readable
> > by root with the radius secret. The current LDAP policy replicates this
> > "expected" behavior. It may be wise to block all reads of the secret
> > though. I'm open to suggestions.
> >
> If it is readable by admin only I would leave it as is for now and
> address later when we redo ACIs.
Is this specific to the one and only admin account or does it extend to
any user in the admins group ?
Looking at the current master it seem *any* user except anonymous can
read secrets ? Or is there a patch I am missing ?
I think this is too broad.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list