Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Alexander Bokovoy Thu, 04 Sep 2014 05:41:57 -0700

On Wed, 03 Sep 2014, Martin Kosek wrote:

On 09/03/2014 03:15 PM, Petr Viktorin wrote:

On 09/03/2014 02:27 PM, Petr Viktorin wrote:

On 09/03/2014 01:27 PM, Petr Viktorin wrote:

Hello,
This adds managed read permissions to the compat tree.


For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.

I'm unsure if this is what we want to do for groups, but "Read Group
Membership" is only granted to authenticated users by default, and the
compat tree exposes memberuid.

https://fedorahosted.org/freeipa/ticket/4521


Self-NACK, there's a typo (though I could swear I tested this :/)


Fixed patch attached.


I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
see if there are no reservations from Alexander or Rob.

I think we need a bit more fixes. Here is ACL log for an anonymous
request:

[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from 
"cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the 
subject by aci(27): aciname="permission:System: Read DNS Configuration", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject 
by aci(27): aciname="permission:System: Read DNS Configuration", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the 
subject by aci(27): aciname="permission:System: Read DNS Configuration", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to 
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to 
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on 
entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by 
aci(27): aciname="permission:System: Read DNS Configuration", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on 
entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by 
aci(38): aciname= "permission:System: Read User
Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on 
entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: 
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: 
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched 
uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci 
matched the subject by aci(18): aciname= "Admin can manage any entry", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by 
aci(38): aciname= "permission:System: Read User Compat Tree", 
acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to 
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous: 
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to 
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to 
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to 
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to 
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on 
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: 
cached allow by aci(38)

createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates

Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.

The same set should be allowed for primary tree.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Reply via email to