Simo Sorce wrote:
On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote:
This patch is independent from my patches 0028-0031 and can be merged in
any order.
This patch has a bug, but I can't figure it out. We need to set
nsslapd-access-userattr-strict on cn=config to "off".
Uhmm what is the effect on ACL evaluation of changing this boolean ?
Ticket 47653 - Need a way to allow users to create entries assigned
to themselves
Bug Description: There are cases where users need to be able to
create, edit and delete
their own entries. Using an ACI with the
"userattr" keyword does not
work with ADD operations(to prevent a security
hole). This prevents IPA's
OTP plugin from performing some necessary operations.
Fix Description: Added a new config attribute
"nsslapd-access-userattr-strict". The default
is "on" or strict. For the IPA case, it would
need to be set to "off" in
order to allow the desired behavior.
https://fedorahosted.org/389/ticket/47653
This patch is included in 389-ds-base-1.3.2.10 and newer.
I can;t figure out from your commit not from 389ds commit what exactly
changes and how it impacts the security of the directory.
I ask because I was planning on using userattr to protect some
operations in the password plugin but was waiting due to bug:
https://fedorahosted.org/389/ticket/47571 which is beeing resolved.
Thank you for waiting. We are going to add the fix to the next release
(1.3.2.11).
Thanks!
--noriko
I want to make sure your change won't change what this ACIs would allow.
Is this option simply allowing the use of add/delete ACIs to be
specified in conjunction with userattr, so that a user can add an attr
only if it contains its own DN ?
Will it allow the user to add multiple values to the same attr as long
as one of the is the userDN ? O will it restrict that case ?
(I know that ipaTokenOwner is a single-value attribute, but the
mechanism you are enabling here is general, and I want to be sure of
what the semantics are)
Simo.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
