[Freeipa-users] Granting rights temporarily
Simo Sorce
simo at redhat.com
Thu Feb 14 16:03:05 UTC 2013
On Thu, 2013-02-14 at 08:30 -0700, Rich Megginson wrote:
> On 02/14/2013 06:54 AM, Simo Sorce wrote:
> > On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:
> >> Hi,
> >>
> >> Another interesting recommendation from security is that all granted
> >> access (that is exceptional, rather than permanent) should be limited in
> >> time from the onset.
> >>
> >> If this is not possible all granted access needs to be documented and
> >> revised regularly. However a system that would automatically revoke access
> >> after a certain period is preferred from a security/administrative
> >> perspective. (Period to be defined when granting access)
> >>
> >> This would mean that e.g. sudo-rules, group memberships, etc. could have
> >> due dates and that IPA ensures that these rights are revoked in due time.
> >>
> >> So I was wondering whether this is something that was already discussed as
> >> a feature for IPA ?
> > sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit
> > their validity.
> >
> > User accounts have an expiration time as well.
> >
> > There is no expiration time for groups or group membership, we have not
> > had any previous request or need for this and I am not sure it really is
> > possible to do this for group memberships.
>
> Someone was asking for this in one of the OpenLDAP forums. They want to
> be able to expire group membership after a certain time. They were going
> to create a new syntax which would be something like
>
> generalizedTime DELIM distinguishedName
>
> e.g.
> dn: cn=temporaryAdminGroup,....
> timedmember: 20130215120000Z$uid=richm,......
>
> After 20130215120000Z is hit, the value would be removed from the group.
To me it looks like a bad hack and breaks all exiting clients. I do not
think it is a viable interface except for purpose built software.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list