On Thu, 2013-11-21 at 15:54 -0500, Dmitri Pal wrote:
> On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
> >> The password can be retrieved with radiusproxy-show --all, because it is 
> >> > not blocked by LDAP ACIs. Is that intended?
> > Yes. But I'm torn as to whether or not this is a good idea. Regular
> > users can't see radius proxy servers at all. Admins can see all
> > attributes.
> >
> > It is common in radius server deployments to have a text file readable
> > by root with the radius secret. The current LDAP policy replicates this
> > "expected" behavior. It may be wise to block all reads of the secret
> > though. I'm open to suggestions.
> >
> If it is readable by admin only I would leave it as is for now and
> address later when we redo ACIs.

Is this specific to the one and only admin account or does it extend to
any user in the admins group ?

Looking at the current master it seem *any* user except anonymous can
read secrets ? Or is there a patch I am missing ?
I think this is too broad.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to