[Freeipa-devel] User life cycle: Question about ACI "Admin read-only attributes"

thierry bordaz tbordaz at redhat.com
Mon Mar 30 12:00:43 UTC 2015 

On 03/30/2015 01:03 PM, Petr Spacek wrote:
> On 30.3.2015 11:50, thierry bordaz wrote:
>> Hello,
>>
>>     The aci "Admin read-only attributes" grants, for the complete
>>     suffix, read access to 'admin' users for the following attributes.
>>
>>         "ipaUniqueId || memberOf || enrolledBy || krbExtraData ||
>>         krbPrincipalName || krbCanonicalName || krbPasswordExpiration ||
>>         krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth"
>>
>>
>>     "userPassword" and "krbPrincipalKey" are not "read-only" attributes
>>     so I guess it is the reason why they are not part of this list.
>>
>>     For User life cycle, I would need admin users to be granted read
>>     access on "userPassword" and "krbPrincipalKey".
>>     The scope could be limited to Stage container but I was wondering if
>>     there is a security reason to not grant read access on the full suffix ?
> AFAIK admins were not given read access to keys and passwords on purpose as a
> security measure. It prevents accidental key disclosure when admin does
> ldapsearch and posts result somewhere (e.g. while debugging something).
Yes that sounds a very good reason.
>
> I did not follow the whole user life-cycle discussion. Why you need read
> access to it? Is it because you plan to do add/del instead of modrdn?
>
There are two use case where I think I need access to those attributes:

  * A stage entry can have  userpassword/krb keys attributes.
    When activating an entry those values are copied to a the active entry.
    So the newly active user can authenticate with the credential set
    while his entry was in stage container.
    In that case, it would need a read access because the stage entry is
    copied into a new entry (ADD).
  * An active entry is deleted (preserve mode), so the entry is modrdn
    to the delete container.
    Then to prevent the reuse of old credential, those attibutes are
    cleared.
    So here I would need a read/search/write access to those attributes
    in the delete container.

That means that if I limit the ACIs to stage/delete containers, an admin 
could accidentally disclose stage/delete entries keys.

thanks
thieryr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150330/583e6a40/attachment.htm>

More information about the Freeipa-devel mailing list