On Fri, 2014-09-05 at 12:12 +0300, Alexander Bokovoy wrote: > On Fri, 05 Sep 2014, Martin Kosek wrote: > >On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: > >> > >> On 09/04/2014 04:38 PM, Martin Kosek wrote: > >>> On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: > >>> ... > >>>>>> createTimestamp is operational attribute and is synthesized by > >>>>>> slapi-nis, there is no problem allowing access to it. I think we can > >>>>>> allow following operational attributes: > >>>>>> > >>>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, > >>>>>> modifiersName, > >>>>>> entryDN, hasSubordinates, numSubordinates > >>>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For > >>>>> example > >>>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be > >>>>> allowed > >>>>> for whole FreeIPA DIT. So this change is not so related to these > >>>>> patches. > >>>>> > >>>>> Do we also want to expose attributes like creatorsName/modifiersName? > >>>>> Do we > >>>>> consider that a public information or juts audit-like information for > >>>>> DM only? > >>>> They are standard features of LDAP servers. RFC 4512 states: > >>>> ============================================================================= > >>>> 3.4 Operational attributes > >>>> ... > >>>> Servers SHOULD maintain the 'creatorsName', 'createTimestamp', > >>>> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the > >>>> DIT. > >>>> ============================================================================= > >>>> > >>>> This is, again, a question of policy. Active Directory forbids anonymous > >>>> access to the tree; so they always expose these attributes to > >>>> authenticated users only. If we allow anonymous access, we should allow > >>>> these attributes too. > >>> Well, DS *does* maintain the attributes - question is whether we want to > >>> show > >>> them to anonymous/authenticated people or just the DM :) > >> if you want to show them depends if it is useful or sensitive. > >> I don't know why an anonymous user would need access to them. > >> Are they sensitive ? Well, at least they expose a DN which has rights to > >> create and modify entries and could be used trying to get more access > > > >Alexander, should we then show just > >+ 'createtimestamp', 'modifytimestamp', 'entryusn', > >to authenticated users? I do not think that modifiers/creatorsDN is something > >that anonymous user need to see by default. > createtimestamp, modifytimestamp, and entryusn are all needed for sssd > LDAP provider. Not allowing them for anonymous will make legacy SSSD > performance suboptimal. > > modifier/creator DNs can be given out only to authenticated users.
Yup, entryUSN is used to do quicker cache validation and modifyTimestamp too. ack to what Alexander proposed. Simo. _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
