On 11/21/2013 09:54 PM, Dmitri Pal wrote:
On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
The password can be retrieved with radiusproxy-show --all, because it is
not blocked by LDAP ACIs. Is that intended?
Yes. But I'm torn as to whether or not this is a good idea. Regular
users can't see radius proxy servers at all. Admins can see all
It is common in radius server deployments to have a text file readable
by root with the radius secret. The current LDAP policy replicates this
"expected" behavior. It may be wise to block all reads of the secret
though. I'm open to suggestions.
If it is readable by admin only I would leave it as is for now and
address later when we redo ACIs.
CCing Simo since this is ACI-related
Freeipa-devel mailing list