Hi Fraser,
Thanks for the reply. Agreed that a vault stores a secret however when
that secret is say a pw for a shared ID like for instance.... root. While
a number of people can access the password for root in the vault I might
not want 20 people using the root pw at the sametime because I am losing
traceability as to who is using root. Other vaults use the concept of
checking in/out the password so while it is checked out no one else can get
the password leaving the tractability in tact. When the password is
checked in then the password is automatically reset so the last person that
knew it can no longer use it without going thru the check out process again
which satisfies a lot of regulatory/audit concerns.
It would appear those types of features are not available in the IPA
vault but wanted to confirm it with you all.
Sean Hogan
From: Fraser Tweedale via FreeIPA-users
<freeipa-users@lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Sean Hogan <scho...@us.ibm.com>, Fraser Tweedale
<ftwee...@redhat.com>
Date: 01/08/2018 06:20 PM
Subject: [Freeipa-users] Re: IPA Password Vault
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users
wrote:
>
>
> Hello,
>
> I have recently been looking into the password vault for IPA and would
> like to implement however I have not been able to find an answer to a
> compliance question on it yet.
>
>
> Does the IPA PW vault limit checking out the password for a shared id
to
> one person at a time? I am thinking this would ensure that personal
> accountability of that ID being used instead of allowing multiple people
> checking out the same id password.
>
> RHEL 7.3 IPA 4.4
>
I'm not 100% sure what you are asking. Vault is for storing a
secret. A shared vault means more than one person can read the
vault. Authorised people can "retrieve" the secret, but the datam
is the same for each person, and there is no concept of "checking
out" or "locking".
Hope that helps,
Fraser
>
>
> Sean Hogan
>
>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
