[Freeipa-devel] per-group password policy proposal

Dmitri Pal dpal at redhat.com
Thu Jun 11 22:30:33 UTC 2009 

Simo Sorce wrote:
> On Thu, 2009-06-11 at 17:34 -0400, Dmitri Pal wrote:
>   
>> Sorry Simo I disagree. I think it is too complex, hard to mange and
>> not deterministic enough.
>>     
>
> Can you explain where you see a problem, it seem pretty simple to me.
>   
I see a problem in determining what policy was used when something 
happened in the past.
Also the CoS is a complex notion and would be hard for admins to 
understand how to manage.
What is simple to you does not mean simple  for others. And you even 
acknowledged the complexity yourself.

>   
>> Add to it that it can have problems with access control. In bulk
>> update proposal you have to explicitly update user records to apply
>> the policies.
>>     
>
> You need to be able to be able to write to groups to change users
> memberships, so I don't see where there is an access control problem.
>   
You might have a right to create and nest groups and you will mess your 
environment by not understanding the impact.
With update case you can only ever affect users that you can access and 
you can't do the operation inadvertently.
You have to actually go and apply the policy. With groups approach you 
can create a new nesting and not realize that it affected password 
policies in the way you did not expected or wanted.
Finally to check what policy is active for the user you just quesry the 
user and see that if he has policy attributes this is the policy that 
applies, if he does not than the default one is used.
Very simple, logical and easy to work with.


>   
>> So admin has to have the rights to do so. He will be able to only
>> modify policies for the users that he can access.
>>     
>
> I think that password policies should be managed primarily through
> groups that are used only to convey password policies. These groups
> should be manageable only by admins that have enough privileges to
> change password policies. I don't see an access control problem here.
>   
I agree with the statement. But difference is that the groups will be 
used to define the set of users to which the policies should apply.

>   
>> With Rob's proposal one can mess with the group nesting and not
>> realize that he weakened the policies for the highly sensitive
>> accounts.
>>     
>
> You can't weaken policies, because weaker policies have a lower Cos
> Priority, so they will never "win" when multiple policies are available
> for the same user. Always the highest (== most restrictive wins).
>
>   
Poor auditor...


>> I think we can add this kind of functionality later on top of the
>> direct updates if the users complain.
>>     
>
> Direct updates are cumbersome prone to fail and cause a lot of
> unnecessary traffic (therefore also slow). I really don't see any
> advantage.
>   
If it is done the plugin it is not remote.
It is not a frequent operation so performance issues are not that important.
It is a major security thing - it does not happen every day.
It should not be dynamic as you propose and the price is even better to 
discourage admin to flip-flop and take this seriously.
If the update failed the CLI or UI should just report it back letting 
admin to take a corrective action.


>   
>> I doubt they will. Keep in mind that the PRD item was written having 
>> bulk update in mind.
>>     
>
> Yes, but I see no risk here.
> If you mess up managing groups or determining password policies or their
> priorities you can also mess up bulk updates.
>   
I suggest we ask the freeipa-users about these two alternatives and see 
what the community will say.
May be I am wrong but I have seen problems with the flexible group 
approach in the past so I do not like it.



> Simo.
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list