[Freeipa-devel] Visibility of the sensitive LDAP data
Dmitri Pal
dpal at redhat.com
Wed Jun 8 19:29:51 UTC 2011
On 06/08/2011 03:15 PM, JR Aquino wrote:
>>> 1) Leave as is and not bother at all (i.e. it is what it is)
>>> >> 2) Leave as is and defer the solution till later (do not fix it in 2.1
>>> >> defer to 2.2)
>>> >> 3) Leave as is but document how to do it using permissions & ACIs
>>> >> 4) Provide default ACIs that would hide the records for the broad user
>>> >> population
>>> >>
>>> >> Looking for an opinion here.
>> >
>> > I am for (2)
>> >
>> > Simo.
>> >
> I am also for (2)
>
> This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights...
I am not sure if the user really needs to see these things at all. The
SUDO and HBAC rules should be seen by SSSD or the LDAP client on the
host (until SUDO is SSSD integrated) the user does not need to see or
fetch the rules for himself. I do not think that any system exposes its
access control rules in a way that user can inspect and see in advance
what he can do and what he can't.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110608/ef0476ef/attachment.htm>
More information about the Freeipa-devel
mailing list