On Срд, 02 кра 2025, Finn Krein-Schuch via FreeIPA-users wrote:
Thank you for your reply Alexander, I understand now that FreeIPA does make information to all users available to all Clients. That said, I disagree this is about security through obscurity in my case. Some (personal) information should not be available publicly and any client having access to all user information does not work for this.
We are stuck here with POSIX not enforcing any boundary protection for the POSIX accounts information on the same OS host. This concept was always out of scope for POSIX environments.
But I don't see this as a shortcoming of FreeIPA but rather as a different problem domain than what FreeIPA wants to solve. FreeIPA is an identity management system and not a general user database. It makes sense that members of an organization in an identity management system are not secret.
I agree people tend to reuse existing infrastructure when solving completely different tasks at hand. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
