Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Thu, 04 Sep 2014 07:44:21 -0700 


On 09/04/2014 04:38 PM, Martin Kosek wrote:

On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
...

createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates

Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.

Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?

They are standard features of LDAP servers. RFC 4512 states:
=============================================================================
3.4 Operational attributes
...
Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' attributes for all entries of the
DIT.
=============================================================================

This is, again, a question of policy. Active Directory forbids anonymous
access to the tree; so they always expose these attributes to
authenticated users only. If we allow anonymous access, we should allow
these attributes too.

Well, DS *does* maintain the attributes - question is whether we want to show
them to anonymous/authenticated people or just the DM :)

if you want to show them depends if it is useful or sensitive.
I don't know why an anonymous user would need access to them.
Are they sensitive ? Well, at least they expose a DN which has rights to
create and modify entries and could be used trying to get more access





Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.

I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?

It is written for AD users synthesized with SSSD help. I think the lack
of it for IPA users is an oversight.

Ok. Petr, you know what to do.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to