On 04/16/2013 04:25 PM, Dmitri Pal wrote: > On 04/16/2013 03:38 AM, Martin Kosek wrote: >> On 04/16/2013 03:16 AM, Dmitri Pal wrote: >>> On 04/15/2013 07:42 PM, Chandan Kumar wrote: >>>> I agree it won't be a security feature nor you are doing wrong by not >>>> adding >>>> it. However, it might come as nice to have feature. Let me explain you my >>>> condition. >>>> >>>> We host web application where lot of DNS entries (Public and Internal) are >>>> created for different kind of requests and features. Now we already have a >>>> separate DNS server, Separate Manual Linux User/Access Control management >>>> by >>>> puppet. Linux users ACL have no relationship with the web application >>>> user >>>> (which is internal to the web app). >>>> >>>> So FreeIPA can help me to centralize the Linux user-management as well as >>>> (Public and Internal) DNS. However, the problem is : traditionally the >>>> access >>>> levels were different for DNS users (support guys) and user management >>>> (sysadmins). Now bring both system together even the Host based access >>>> control, sudoers rule everything becomes visible to non-sysadmin group. >>>> >>>> You are right that every user could query all entries from command line and >>>> hence it won't help to secure the system, but not having it on GUI may >>>> help >>>> to avoid "obvious" visibility of the whole directory. >>>> >>>> I believe similar GUI "views" could be applied for discussion >>>> >>>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html >>>> >>>> where geographically separate Organization units may share the same >>>> directory >>>> with limited visibility on other branches. >>>> >>>> >>>> Having said that, I am not sure how feasible/logical my view is owing to my >>>> limited knowledge in 389 directory server and IPA. >>> I think you are talking about this: >>> https://fedorahosted.org/freeipa/ticket/217 >>> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313 >>> >>> Would you mind adding the details of your use case to one of those two >>> tickets? >>> >>> Alternatively we can start another ticket. >>> However I think we should have some kind of a complete solution that covers >>> LDAP, UI and CLI consistently. >>> Doing it right would be a huge task IMO. >>> For LDAP we would probably have to implement some kind of "smart" proxy that >>> would reply only to the requests that user are entitled to. Same with CLI >>> and >>> UI. But the point is that one configuration should be respected by all >>> three at >>> the same time. For example if you are not allowed to manage sudo the sudo >>> commands should not return any data as well as LDAP searches and there >>> should >>> be no panel in the UI. >>> >>> I am really reluctant to fix just UI because we would end up different >>> components of the system behaving differently and it would be hard to evolve >>> them and maintain. >>> >>> Thanks >>> Dmitri >>> >> I think there were some related discussions about this. I agree that this a >> bigger effort, but I do think that a proxy is needed. We should be able to >> achieve that goal by being able to disable global ACI allowing read access to >> all entries and attributes unless those explicitly blacklisted. >> >> I think we are talking about this ticket: >> https://fedorahosted.org/freeipa/ticket/2786 > > > Actually no. I see it on a much broader scale than in this ticket. > I am thinking about blacklisting components like: sudo, hbac, selinux, > DNS, hosts, users, services etc. > Have a way to completely hide those areas from the user. > It would get pretty complex right away as the dependencies are hierarchical.
This is what I meant. We could offer disabling the global ACI granting read access to everyone and let admins assign read privileges only to functions (HBAC, SUDO, SELinux, ...) they want. I tried to sum all these thoughts to this upstream ticket: https://fedorahosted.org/freeipa/ticket/3566 Comments and suggestions from FreeIPA users welcome! Thanks, Martin _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users