On Thu, 2014-09-04 at 15:55 +0200, Martin Kosek wrote: > On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: > > On Wed, 03 Sep 2014, Martin Kosek wrote: > >> On 09/03/2014 03:15 PM, Petr Viktorin wrote: > >>> On 09/03/2014 02:27 PM, Petr Viktorin wrote: > >>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote: > >>>>> Hello, > >>>>> This adds managed read permissions to the compat tree. > >>>>> > >>>>> For users it grants anonymous access; authenticated users can read > >>>>> groups, hosts and netgroups. > >>>>> > >>>>> I'm unsure if this is what we want to do for groups, but "Read Group > >>>>> Membership" is only granted to authenticated users by default, and the > >>>>> compat tree exposes memberuid. > >>>>> > >>>>> https://fedorahosted.org/freeipa/ticket/4521 > >>>> > >>>> Self-NACK, there's a typo (though I could swear I tested this :/) > >>>> > >>>> > >>> > >>> Fixed patch attached. > >>> > >> > >> I tested and it looks and works OK, ACK from me. We can wait till tomorrow > >> to > >> see if there are no reservations from Alexander or Rob. > > I think we need a bit more fixes. Here is ACL log for an anonymous > > request: > > > > [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from > > "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no > > aci matched the subject by aci(27): aciname="permission:System: Read DNS > > Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no > > aci > > matched the subject by aci(27): aciname="permission:System: Read DNS > > Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to > > anonymous: no > > aci matched the subject by aci(27): aciname="permission:System: Read DNS > > Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to > > anonymous: no aci matched the subject by aci(27): aciname= > > "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to > > anonymous: no aci matched the subject by aci(27): aciname= > > "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search > > on > > entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci > > matched the subject by aci(27): aciname="permission:System: Read DNS > > Configuration", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow > > search on > > entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: > > allowed > > by aci(38): aciname= "permission:System: Read User > > Compat Tree", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow > > search on > > entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: > > cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow > > search on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to > > anonymous: > > cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched > > uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn="" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) > > to anonymous: no aci matched the subject by aci(18): aciname= "Admin can > > manage > > any entry", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to > > anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat > > Tree", acidn="dc=ipacloud,dc=test" > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to > > anonymous: cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to > > anonymous: > > cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to > > anonymous: cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to > > anonymous: cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to > > anonymous: cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) > > to > > anonymous: cached allow by aci(38) > > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read > > on > > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to > > anonymous: > > cached allow by aci(38) > > > > createTimestamp is operational attribute and is synthesized by > > slapi-nis, there is no problem allowing access to it. I think we can > > allow following operational attributes: > > > > createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName, > > entryDN, hasSubordinates, numSubordinates > > Ah, ok, probably yes. At least for some of them - CCing Simo. For example > entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed > for whole FreeIPA DIT. So this change is not so related to these patches.
Indeed entryUSN should always be allowed, at least to authenticated users. > Do we also want to expose attributes like creatorsName/modifiersName? Do we > consider that a public information or juts audit-like information for DM only? Are you asking just for the compat tree or in general ? > > Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't > > run ipa-adtrust-install on this machine yet. > > I do not think that this attribute is written to cn=compat (did not see it in > config) - is it? No, and shouldn't > > > > The same set should be allowed for primary tree. > > > > IMO this should be just one global permission/ACI, set for DIT root. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel