On ke, 15 helmi 2017, Michael Ströder wrote:
On 2017-02-15 11:51, Alexander Bokovoy wrote:
On ke, 15 helmi 2017, Gerald Zabos wrote:
Use case: external customer gets limited access and MUST NOT see our
internal users and/or other external customers.

Not seeing other users or objects is no possible with FreeIPA design. It
is also security through obscurity and doesn't really contribute
anything.

IMHO such a use-case is a valid security requirement for preventing
social engineering threats.

Anyway customer accounts are critical regarding _confidentiality_:

1. Customers must not see internal users and their contact data
  for not being able to circumvent controlled support processes.

2. Customers must not see other customers (competitors) because this
  could cause business trouble.

IMHO dealing with customer accounts is very tricky because a normal
user management is optimizied for collaboration and not for
multi-tenant confidentiality.
You seem to assume something that is not really part of FreeIPA design.
FreeIPA has flat DIT, with no OUs or other segregation means. All users
and all groups are at the same level, there is no mechanism to prevent
them from being invisible to each other.

Additionally, it would not give you much of protection against hosts
because each enrolled host can see (read-only) all users and groups. If
host principals would not be able to do so, SSSD would not be able to
retrieve identity information.

Even if user has no control over its own enrolled machine, POSIX
identity retrieval API also has no separation feature. If you are able
to issue getpwnam() or getpwuid() call, you are able to methodically
iterate through all POSIX attributes of all users, even inefficiently.

Note FreeIPA is not alone at this. Active Directory allows all machines
in the domain to query identity information even if you are not able to
see it directly from LDAP. Global Catalog service also gives all users
at least read-only access to whole forest's identity information.

This is why I called a proposed approach to solve this use-case as
security through obscurity. The API is there to readily retrieve most of
the information without really involved effort.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to