Jump to: navigation, search


Ambox warning green construction.svg This article is under construction.

Access control in FreeIPA


Read permissions for normal users do not harm

When work on IPA started most of the information stored was needed without authentication by machines, it was all (NIS maps equivalent data).

Later more functionality that falls into a grey area where it could be restricted was added. It was decided on a case by case basis, but by default it was not restricted because we do not believe in security through obscurity or because the information was still easily available if someone escalated privileges on any single client.


  • FreeIPA components should have least possible privilege. When possible, user-facing components should use delegation and operate using user's credentials (to limit attack surface).