On Wed, 2011-06-08 at 14:15 -0400, Dmitri Pal wrote: > Hi, > > We have been through this some time before and the decision made then > still left me uneasy. > We said that LDAP is by nature something is a readable by an > authenticated used. Other than special password and key related > attributes everything else should be readable. > > Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 > It seems reasonable to hide the SUDO information from the normal user > and not make it widely available. I would argue that the HBAC should > fall into the same category. > I suspect there is a way to hide this information and if we implemented > everything correctly the UI and CLI should not fail and respecting the > effective rights will not present the UI or fail the CLI command. > So what should we do: > 1) Leave as is and not bother at all (i.e. it is what it is) > 2) Leave as is and defer the solution till later (do not fix it in 2.1 > defer to 2.2) > 3) Leave as is but document how to do it using permissions & ACIs > 4) Provide default ACIs that would hide the records for the broad user > population > > Looking for an opinion here.
I am for (2) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
