On 04/16/2013 04:25 PM, Dmitri Pal wrote:
> On 04/16/2013 03:38 AM, Martin Kosek wrote:
>> On 04/16/2013 03:16 AM, Dmitri Pal wrote:
>>> On 04/15/2013 07:42 PM, Chandan Kumar wrote:
>>>> I agree it won't be a security feature nor you are doing wrong by not 
>>>> adding
>>>> it. However, it might come as nice to have feature. Let me explain you my
>>>> condition.
>>>> We host web application where lot of DNS entries (Public and Internal) are
>>>> created for different kind of requests and features. Now we already have a
>>>> separate DNS server, Separate Manual Linux User/Access Control management 
>>>> by
>>>> puppet. Linux users   ACL have no relationship with the web application 
>>>> user
>>>> (which is internal to the web app). 
>>>> So FreeIPA can help me to centralize the Linux user-management as well as
>>>> (Public and Internal) DNS. However, the problem is : traditionally the 
>>>> access
>>>> levels were different for DNS users (support guys) and user management
>>>> (sysadmins). Now bring both system together even the Host based access
>>>> control, sudoers rule everything becomes visible to non-sysadmin group.
>>>> You are right that every user could query all entries from command line and
>>>> hence it won't help  to secure the system, but not having it on GUI may 
>>>> help
>>>> to avoid "obvious" visibility of the whole directory.
>>>> I believe similar GUI "views" could be applied for discussion 
>>>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html
>>>> where geographically separate Organization units may share the same 
>>>> directory
>>>> with limited visibility on other branches.
>>>> Having said that, I am not sure how feasible/logical my view is owing to my
>>>> limited knowledge in 389 directory server and IPA.
>>> I think you are talking about this: 
>>> https://fedorahosted.org/freeipa/ticket/217
>>> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313
>>> Would you mind adding the details of your use case to one of those two 
>>> tickets?
>>> Alternatively we can start another ticket.
>>> However I think we should have some kind of a complete solution that covers
>>> LDAP, UI and CLI consistently.
>>> Doing it right would be a huge task IMO.
>>> For LDAP we would probably have to implement some kind of "smart" proxy that
>>> would reply only to the requests that user are entitled to. Same with CLI 
>>> and
>>> UI. But the point is that one configuration should be respected by all 
>>> three at
>>> the same time. For example if you are not allowed to manage sudo the sudo
>>> commands should not return any data as well as LDAP searches and there 
>>> should
>>> be no panel in the UI.
>>> I am really reluctant to fix just UI because we would end up different
>>> components of the system behaving differently and it would be hard to evolve
>>> them and maintain.
>>> Thanks
>>> Dmitri
>> I think there were some related discussions about this. I agree that this a
>> bigger effort, but I do think that a proxy is needed. We should be able to
>> achieve that goal by being able to disable global ACI allowing read access to
>> all entries and attributes unless those explicitly blacklisted.
>> I think we are talking about this ticket:
>> https://fedorahosted.org/freeipa/ticket/2786
> Actually no. I see it on a much broader scale than in this ticket.
> I am thinking about blacklisting components like: sudo, hbac, selinux,
> DNS, hosts, users, services etc.
> Have a way to completely hide those areas from the user.
> It would get pretty complex right away as the dependencies are hierarchical.

This is what I meant. We could offer disabling the global ACI granting read
access to everyone and let admins assign read privileges only to functions
(HBAC, SUDO, SELinux, ...) they want. I tried to sum all these thoughts to this
upstream ticket:


Comments and suggestions from FreeIPA users welcome!


Freeipa-users mailing list

Reply via email to