On Thu, 04 Sep 2014, Martin Kosek wrote:
On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
On Wed, 03 Sep 2014, Martin Kosek wrote:
On 09/03/2014 03:15 PM, Petr Viktorin wrote:
On 09/03/2014 02:27 PM, Petr Viktorin wrote:
On 09/03/2014 01:27 PM, Petr Viktorin wrote:
Hello,
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for groups, but "Read Group
Membership" is only granted to authenticated users by default, and the
compat tree exposes memberuid.
https://fedorahosted.org/freeipa/ticket/4521
Self-NACK, there's a typo (though I could swear I tested this :/)
Fixed patch attached.
I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
see if there are no reservations from Alexander or Rob.
I think we need a bit more fixes. Here is ACL log for an anonymous
request:
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
"cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
by aci(38): aciname= "permission:System: Read User
Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
any entry", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
cached allow by aci(38)
createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:
createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates
Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.
Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?
Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.
I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?
The same set should be allowed for primary tree.
IMO this should be just one global permission/ACI, set for DIT root.
I experimented a bit, by setting SSSD with a simple LDAP provider
talking to a compat tree (with views enabled, but that doesn't change
anything) and I think we need to move to ipabindpermruletype=anonymous
or otherwise such setup will not work at all. Attached is my take at it
on top of Petr's patchset.
You can ignore views-related ACIs for time being.
--
/ Alexander Bokovoy
diff --git a/ACI.txt b/ACI.txt
index 6a4e646..8cce4a4 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -51,9 +51,11 @@ aci: (targetattr = "member")(targetfilter =
"(&(!(cn=admins))(objectclass=ipause
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid ||
mepmanagedby || objectclass")(targetfilter =
"(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl
"permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System:
Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || memberuid || objectclass")(target =
"ldap:///cn=groups,cn=compat,dc=ipa,dc=example";)(version 3.0;acl
"permission:System: Read Group Compat Tree";allow (compare,read,search) userdn
= "ldap:///all";;)
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber ||
memberuid || modifytimestamp || objectclass")(target =
"ldap:///cn=*,cn=groups,cn=compat,dc=ipa,dc=example";)(version 3.0;acl
"permission:System: Read Group Compat Tree";allow (compare,read,search) userdn
= "ldap:///anyone";;)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid ||
memberuser")(targetfilter =
"(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl
"permission:System: Read Group Membership";allow (compare,read,search) userdn =
"ldap:///all";;)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber ||
memberuid || modifytimestamp || objectclass")(target =
"ldap:///cn=*,cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example";)(version
3.0;acl "permission:System: Read Group Views Compat Tree";allow
(compare,read,search) userdn = "ldap:///anyone";;)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber ||
ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby ||
o || objectclass || ou || owner || seealso")(targetfilter =
"(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl
"permission:System: Read Groups";allow (compare,read,search) userdn =
"ldap:///anyone";;)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -239,7 +241,7 @@ aci: (targetattr = "*")(target = "ldap:///cn=UPG
Definition,cn=Definitions,cn=Ma
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "audio || businesscategory || carlicense ||
departmentnumber || destinationindicator || employeenumber || employeetype ||
fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus ||
internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o
|| ou || pager || photo || physicaldeliveryofficename || postaladdress ||
postalcode || postofficebox || preferreddeliverymethod || preferredlanguage ||
registeredaddress || roomnumber || secretary || seealso || st || street ||
telephonenumber || teletexterminalidentifier || telexnumber || usercertificate
|| usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || gecos || gidnumber || homedirectory || loginshell ||
objectclass || uid || uidnumber")(target =
"ldap:///cn=users,cn=compat,dc=ipa,dc=example";)(version 3.0;acl
"permission:System: Read User Compat Tree";allow (compare,read,search) userdn =
"ldap:///anyone";;)
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber ||
homedirectory || loginshell || modifytimestamp || objectclass || uid ||
uidnumber")(target =
"ldap:///uid=*,cn=users,cn=compat,dc=ipa,dc=example";)(version 3.0;acl
"permission:System: Read User Compat Tree";allow (compare,read,search) userdn =
"ldap:///anyone";;)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype ||
userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Read User IPA Attributes";allow (compare,read,search)
userdn = "ldap:///all";;)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -250,6 +252,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Membership";allow (compare,read,search) userdn = "ldap:///all";;)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || displayname || gecos || gidnumber ||
givenname || homedirectory || initials || ipantsecurityidentifier || loginshell
|| manager || objectclass || sn || title || uid || uidnumber")(targetfilter =
"(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User
Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber ||
homedirectory || loginshell || modifytimestamp || objectclass || uid ||
uidnumber")(target =
"ldap:///uid=*,cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example";)(version
3.0;acl "permission:System: Read User Views Compat Tree";allow
(compare,read,search) userdn = "ldap:///anyone";;)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl
"permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System:
Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -276,6 +280,8 @@ dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues ||
dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum ||
objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl
"permission:System: Read DNA Configuration";allow (compare,read,search) userdn
= "ldap:///all";;)
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter =
"(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA
Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA
Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || creatorsname || entryusn ||
modifiersname || modifytimestamp")(targetfilter = "(objectclass=*)")(version
3.0;acl "permission:System: Read Operational Attributes";allow
(compare,read,search) userdn = "ldap:///anyone";;)
dn: cn=config
aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh
|| nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv ||
nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin ||
nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime ||
nsds5replicachangecount || nsds5replicachangessentsincestartup ||
nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials
|| nsds5replicaenabled || nsds5replicahost || nsds5replicaid ||
nsds5replicalastinitend || nsds5replicalastinitstart ||
nsds5replicalastinitstatus || nsds5replicalastupdateend ||
nsds5replicalastupdatestart || nsds5replicalastupdatestatus ||
nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport ||
nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral
|| nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs
|| nsds5replicatedattributelist || nsds5replicatedattributelisttotal ||
nsds5replicatimeout || nsds5replicatombstonepurgeinterval ||
nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress
|| nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree ||
nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled
|| nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified
|| nsstate || objectclass || onewaysync || winsyncdirectoryfilter ||
winsyncinterval || winsyncmoveaction || winsyncsubtreepair ||
winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version
3.0;acl "permission:System: Read Replication Agreements";allow
(compare,read,search) groupdn = "ldap:///cn=System: Read Replication
Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=replication,cn=etc,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index a4340bb..ad96efe 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -204,12 +204,24 @@ class group(LDAPObject):
},
'System: Read Group Compat Tree': {
'non_object': True,
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
+ },
+ },
+ 'System: Read Group Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
+ 'ipapermtarget': DN('cn=*', 'cn=groups', 'cn=*', 'cn=views',
'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'objectclass', 'cn', 'memberuid',
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
},
},
}
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f95b4fd..5c03a09 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -428,11 +428,24 @@ class user(LDAPObject):
'non_object': True,
'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
- 'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
+ 'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
'homedirectory', 'loginshell',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
+ },
+ },
+ 'System: Read User Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('uid=*', 'cn=users', 'cn=*', 'cn=views',
'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
+ 'homedirectory', 'loginshell',
+ 'createtimestamp', 'modifytimestamp', 'entryusn',
},
},
}
diff --git a/ipaserver/install/plugins/update_managed_permissions.py
b/ipaserver/install/plugins/update_managed_permissions.py
index 2051bd4..d2b7dea 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -96,6 +96,17 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
register = Registry()
NONOBJECT_PERMISSIONS = {
+ 'System: Read Operational Attributes': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtargetfilter': {'(objectclass=*)'},
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'createtimestamp', 'modifytimestamp',
+ 'creatorsname', 'modifiersname', 'entryusn',
+ },
+ },
'System: Read IPA Masters': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
