On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
On Wed, Apr 28, 2021 at 02:57:08PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> So there is no way to prevent that someone issues administrative
> ipa command from any host, except by keeping the password secret?
Correct, you have to keep passwords safe from the parties you don't want
to use the powers those passwords entail.
Will the clients work if we delete the /usr/bin/ipa on them?
If you'd want to remove IPA client componets after enrolling, then you
need to remove python3-ipalib (on Fedora or RHEL 8). That would remove
freeipa-client and python3-ipaclient but it will not remove any
configuration, so things would continue working. At least theoretically,
I haven't tried that myself.
I'd recommend you to investigate this on your own before deploying such
changes. Note that IPA API use does not require existence of these
packages and people can actually communicate with IPA server with just
an HTTPS request, using whatever HTTP client they have. So, removing
packages will not solve your problem at all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
