Hi Fraser, Thanks for the reply. Agreed that a vault stores a secret however when that secret is say a pw for a shared ID like for instance.... root. While a number of people can access the password for root in the vault I might not want 20 people using the root pw at the sametime because I am losing traceability as to who is using root. Other vaults use the concept of checking in/out the password so while it is checked out no one else can get the password leaving the tractability in tact. When the password is checked in then the password is automatically reset so the last person that knew it can no longer use it without going thru the check out process again which satisfies a lot of regulatory/audit concerns.
It would appear those types of features are not available in the IPA vault but wanted to confirm it with you all. Sean Hogan From: Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Sean Hogan <scho...@us.ibm.com>, Fraser Tweedale <ftwee...@redhat.com> Date: 01/08/2018 06:20 PM Subject: [Freeipa-users] Re: IPA Password Vault On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote: > > > Hello, > > I have recently been looking into the password vault for IPA and would > like to implement however I have not been able to find an answer to a > compliance question on it yet. > > > Does the IPA PW vault limit checking out the password for a shared id to > one person at a time? I am thinking this would ensure that personal > accountability of that ID being used instead of allowing multiple people > checking out the same id password. > > RHEL 7.3 IPA 4.4 > I'm not 100% sure what you are asking. Vault is for storing a secret. A shared vault means more than one person can read the vault. Authorised people can "retrieve" the secret, but the datam is the same for each person, and there is no concept of "checking out" or "locking". Hope that helps, Fraser > > > Sean Hogan > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org