On 11/21/2013 01:34 PM, Nathaniel McCallum wrote: >> The password can be retrieved with radiusproxy-show --all, because it is >> > not blocked by LDAP ACIs. Is that intended? > Yes. But I'm torn as to whether or not this is a good idea. Regular > users can't see radius proxy servers at all. Admins can see all > attributes. > > It is common in radius server deployments to have a text file readable > by root with the radius secret. The current LDAP policy replicates this > "expected" behavior. It may be wise to block all reads of the secret > though. I'm open to suggestions. > If it is readable by admin only I would leave it as is for now and address later when we redo ACIs.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel