On Tue, 2014-04-15 at 13:13 +0200, Petr Viktorin wrote: > On 04/15/2014 09:43 AM, Martin Kosek wrote: > > On 04/15/2014 09:38 AM, Martin Kosek wrote: > >> On 04/14/2014 07:18 PM, Simo Sorce wrote: > >>> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote: > >>>> Hello, > >>>> > >>>> The first patch adds default read permissions to krbtpolicy. Since the > >>>> plugin manages entries in two trees, there are two permissions. Since > >>>> two permissions are needed to cover krbtpolicy, it can't be used as a > >>>> permission's --type. > >>>> The permissions are added to a new privilege, 'Kerberos Ticket Policy > >>>> Readers'. > >>>> > >>>> The second patch adds an ACI for reading the Kerberos realm name. Since > >>>> client enrollment won't work without this, I don't see a reason for > >>>> having it managed by a permission. > >>>> > >>> > >>> LGTM > >>> > >>> Simo. > >>> > >> > >> 521 breaks a unit test: > >> > >> ====================================================================== > >> FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using > >> --subtree > >> ---------------------------------------------------------------------- > >> Traceback (most recent call last): > >> File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in > >> runTest > >> self.test(*self.arg) > >> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line > >> 301, in > >> <lambda> > >> func = lambda: self.check(nice, **test) > >> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line > >> 319, in > >> check > >> self.check_output(nice, cmd, args, options, expected, extra_check) > >> File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line > >> 359, in > >> check_output > >> assert_deepequal(expected, got, nice) > >> File "/root/freeipa-master/ipatests/util.py", line 344, in > >> assert_deepequal > >> assert_deepequal(e_sub, g_sub, doc, stack + (key,)) > >> File "/root/freeipa-master/ipatests/util.py", line 352, in > >> assert_deepequal > >> VALUE % (doc, expected, got, stack) > >> AssertionError: assert_deepequal: expected != got. > >> test_permission[37]: permission_find: Search for u'Testperm_RN' using > >> --subtree > >> expected = 1 > >> got = 2 > >> path = ('count',) > > Thanks for the catch, tests updated. > > >> Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as > >> we > >> miss permissions for users). > > Right; I don't think this permission by itself should allow access to > users. Correct me if that's wrong. > > I created a users permission for testing: > ipa permission-add 'allow reading user objectclass' --type user > --right={read,search,compare} --attrs objectclass --bind all > > > /me hit Send too soon. > > > > Although 522 works functionally and client now discovers the IPA server, > > there > > is no path from SUFFIX to cn=REALM for anonymous users. > > > > I would personally change the ACI to > > > > (targetattr = "cn || objectclass")(targetfilter = > > "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version > > 3.0;acl > > "Anonymous read access to Kerberos container";allow (read,compare,search) > > userdn = "ldap:///anyone";)' > > > > and put it to cn=kerberos,$SUFFIX (which is of krbcontainer objectclass). > > Right, that's necessary for UIs to list the container. > Simo, are you okay with this?
It is no secret that an IPA server has a container named after the domain. And the REALM name is available unauthenticated from DNS, so knowledge of it's existence is given. Therefore I see no problem if anonymous can see the container exists, as long as no contents (beyond what we already determined need to be) are revealed I see no problem. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel