[Freeipa-devel] User life cycle: Question about ACI "Admin read-only attributes"
Petr Spacek
pspacek at redhat.com
Mon Mar 30 11:03:05 UTC 2015
On 30.3.2015 11:50, thierry bordaz wrote:
> Hello,
>
> The aci "Admin read-only attributes" grants, for the complete
> suffix, read access to 'admin' users for the following attributes.
>
> "ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
> krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
> krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"
>
>
> "userPassword" and "krbPrincipalKey" are not "read-only" attributes
> so I guess it is the reason why they are not part of this list.
>
> For User life cycle, I would need admin users to be granted read
> access on "userPassword" and "krbPrincipalKey".
> The scope could be limited to Stage container but I was wondering if
> there is a security reason to not grant read access on the full suffix ?
AFAIK admins were not given read access to keys and passwords on purpose as a
security measure. It prevents accidental key disclosure when admin does
ldapsearch and posts result somewhere (e.g. while debugging something).
I did not follow the whole user life-cycle discussion. Why you need read
access to it? Is it because you plan to do add/del instead of modrdn?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list