On Wed, 2013-11-27 at 14:34 +0000, Simo Sorce wrote: > On Thu, 2013-11-21 at 15:54 -0500, Dmitri Pal wrote: > > On 11/21/2013 01:34 PM, Nathaniel McCallum wrote: > > >> The password can be retrieved with radiusproxy-show --all, because it is > > >> > not blocked by LDAP ACIs. Is that intended? > > > Yes. But I'm torn as to whether or not this is a good idea. Regular > > > users can't see radius proxy servers at all. Admins can see all > > > attributes. > > > > > > It is common in radius server deployments to have a text file readable > > > by root with the radius secret. The current LDAP policy replicates this > > > "expected" behavior. It may be wise to block all reads of the secret > > > though. I'm open to suggestions. > > > > > If it is readable by admin only I would leave it as is for now and > > address later when we redo ACIs. > > Is this specific to the one and only admin account or does it extend to > any user in the admins group ?
All admins. See ipatokenRadiusConfiguration in install/share/default-aci.ldif. Read access is denied to everyone except admins. The entire class is hidden from normal users. See below. > Looking at the current master it seem *any* user except anonymous can > read secrets ? Or is there a patch I am missing ? > I think this is too broad. [root@freeipa ~]# kinit admin Password for ad...@example.com: [root@freeipa ~]# ipa radiusproxy-find ----------------------------- 1 RADIUS proxy server matched ----------------------------- RADIUS proxy server name: foo Server: foo ---------------------------- Number of entries returned 1 ---------------------------- [root@freeipa ~]# kinit test Password for t...@example.com: kinit: Password incorrect while getting initial credentials [root@freeipa ~]# kinit test Password for t...@example.com: [root@freeipa ~]# ipa radiusproxy-find ------------------------------ 0 RADIUS proxy servers matched ------------------------------ ---------------------------- Number of entries returned 0 ---------------------------- _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
