On 02/14/2013 06:54 AM, Simo Sorce wrote:
On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:

Another interesting recommendation from security is that all granted
access (that is exceptional, rather than permanent) should be limited in
time from the onset.

If this is not possible all granted access needs to be documented and
revised regularly. However a system that would automatically revoke access
after a certain period is preferred from a security/administrative
perspective. (Period to be defined when granting access)

This would mean that e.g. sudo-rules, group memberships, etc. could have
due dates and that IPA ensures that these rights are revoked in due time.

So I was wondering whether this is something that was already discussed as
a feature for IPA ?
sudo rules have sudoNotBefore sudoNotAfter attributes, so you can limit
their validity.

User accounts have an expiration time as well.

There is no expiration time for groups or group membership, we have not
had any previous request or need for this and I am not sure it really is
possible to do this for group memberships.

Someone was asking for this in one of the OpenLDAP forums. They want to be able to expire group membership after a certain time. They were going to create a new syntax which would be something like

generalizedTime DELIM distinguishedName

dn: cn=temporaryAdminGroup,....
timedmember: 20130215120000Z$uid=richm,......

After 20130215120000Z is hit, the value would be removed from the group.

I guess we could add an attribute to expire a group, however no client
will respect that for now, so it would be a bit pointless if not


Freeipa-users mailing list

Reply via email to