Prevent admin from changing passwords about fusiondirectory-plugins HOT 7 CLOSED

I think you need to redo the admin acl role to give rights on everything but passwords.

from fusiondirectory-plugins.

Ok, thanks for your answer.
I presume this is reversible? i.e. I'd like the admin account never to have access to password change again, so not as to be accountable if there is a legal procedure related to a user: can FD enable it?

from fusiondirectory-plugins.

I’m not sure I understand your need.
Everything you configure can always be reconfigured an other way. You may remove the admin the right to change the ACLs, but that means you won’t ever be able to change ACLs again. I think at this point you should keep an admin account and use another role with less rights for this.

from fusiondirectory-plugins.

I'd like the admin account not to be able to change passwords of users ever again.
Your solution is interesting, but I was wondering if it's possible to use a stronger method: i.e., use cryptographic techniques.
For instance, requiring a key for changing the password, and that key would be only owned by the user.
I understand if it sounds out of scope.

from fusiondirectory-plugins.

Yes, this is out of scope.

There will always be an admin able to change the password, whether at the LDAP level or the server level.
Cryptography can hide the password from the admin but it does not prevent changing it.
You should not give an admin account to anyone which is not allowed to change passwords. Use an ACL role with less rights.

from fusiondirectory-plugins.

No of course I won't give anyone an admin account.
I wanted to release any burden of liability on the admin, the password being able to decrypt users' data.
We'll try something similar to the approach proposed by Schneier to achieve our goal.
Thanks for your help!

from fusiondirectory-plugins.

@Victor-Morel,

hello if you achieve something or want to discuss more feel free to ping me here

Cheers

from fusiondirectory-plugins.