Comments (7)
I think you need to redo the admin acl role to give rights on everything but passwords.
from fusiondirectory-plugins.
Ok, thanks for your answer.
I presume this is reversible? i.e. I'd like the admin account never to have access to password change again, so not as to be accountable if there is a legal procedure related to a user: can FD enable it?
from fusiondirectory-plugins.
Iโm not sure I understand your need.
Everything you configure can always be reconfigured an other way. You may remove the admin the right to change the ACLs, but that means you wonโt ever be able to change ACLs again. I think at this point you should keep an admin account and use another role with less rights for this.
from fusiondirectory-plugins.
I'd like the admin account not to be able to change passwords of users ever again.
Your solution is interesting, but I was wondering if it's possible to use a stronger method: i.e., use cryptographic techniques.
For instance, requiring a key for changing the password, and that key would be only owned by the user.
I understand if it sounds out of scope.
from fusiondirectory-plugins.
Yes, this is out of scope.
There will always be an admin able to change the password, whether at the LDAP level or the server level.
Cryptography can hide the password from the admin but it does not prevent changing it.
You should not give an admin account to anyone which is not allowed to change passwords. Use an ACL role with less rights.
from fusiondirectory-plugins.
No of course I won't give anyone an admin account.
I wanted to release any burden of liability on the admin, the password being able to decrypt users' data.
We'll try something similar to the approach proposed by Schneier to achieve our goal.
Thanks for your help!
from fusiondirectory-plugins.
hello if you achieve something or want to discuss more feel free to ping me here
Cheers
from fusiondirectory-plugins.
Related Issues (20)
- Unable to set samba password HOT 2
- LDAP Import/Export plugin can't work with STARTTLS (over 389 port) HOT 2
- Impossible to install the mail plugin HOT 6
- Can't add SSH ed25519 keys HOT 7
- "Fatal error: not all POST variables have been transferred by PHP - please inform your administrator! HOT 2
- Link "to get help" in README.md just leads to a 404 HOT 2
- LDAP-Plugin: Adding a host under systems and under a specific subnet breaks HOT 5
- Dovecot & Cyrus plugins store master password in unprotected cleartext attribute HOT 10
- Unclear where to report bugs HOT 3
- Many problems with mail plugins HOT 1
- feature request: get ACLs for DSA HOT 2
- Add GitHub as social handler in 'Personal' plugin HOT 4
- Add Google Scholar as social handler in 'Personal' plugin HOT 1
- Impossible to install the IPAM plugin HOT 1
- Dashboard broken with ppolicy plugin HOT 1
- Invitations misshandle base HOT 2
- SSH plugin: error while adding keys with space(s) in comment HOT 4
- SSH plugin: locked user can connect HOT 4
- Unable to add catchall alternative mail address in mail plugin HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fusiondirectory-plugins.