[Freeipa-users] Delegation + visibility on users/user groups
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 15 15:01:52 UTC 2017
On ke, 15 helmi 2017, Michael Ströder wrote:
>On 2017-02-15 11:51, Alexander Bokovoy wrote:
>>On ke, 15 helmi 2017, Gerald Zabos wrote:
>>>Use case: external customer gets limited access and MUST NOT see our
>>>internal users and/or other external customers.
>>
>>Not seeing other users or objects is no possible with FreeIPA
>>design. It
>>is also security through obscurity and doesn't really contribute
>>anything.
>
>IMHO such a use-case is a valid security requirement for preventing
>social engineering threats.
>
>Anyway customer accounts are critical regarding _confidentiality_:
>
>1. Customers must not see internal users and their contact data
> for not being able to circumvent controlled support processes.
>
>2. Customers must not see other customers (competitors) because this
> could cause business trouble.
>
>IMHO dealing with customer accounts is very tricky because a normal
>user management is optimizied for collaboration and not for
>multi-tenant confidentiality.
You seem to assume something that is not really part of FreeIPA design.
FreeIPA has flat DIT, with no OUs or other segregation means. All users
and all groups are at the same level, there is no mechanism to prevent
them from being invisible to each other.
Additionally, it would not give you much of protection against hosts
because each enrolled host can see (read-only) all users and groups. If
host principals would not be able to do so, SSSD would not be able to
retrieve identity information.
Even if user has no control over its own enrolled machine, POSIX
identity retrieval API also has no separation feature. If you are able
to issue getpwnam() or getpwuid() call, you are able to methodically
iterate through all POSIX attributes of all users, even inefficiently.
Note FreeIPA is not alone at this. Active Directory allows all machines
in the domain to query identity information even if you are not able to
see it directly from LDAP. Global Catalog service also gives all users
at least read-only access to whole forest's identity information.
This is why I called a proposed approach to solve this use-case as
security through obscurity. The API is there to readily retrieve most of
the information without really involved effort.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list