Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Thu, 18 Sep 2014 12:48:58 -0700 

On 09/18/2014 09:11 PM, Simo Sorce wrote:

On Thu, 18 Sep 2014 14:57:45 -0400
Rob Crittenden <rcrit...@redhat.com> wrote:


Martin Kosek wrote:

On 09/18/2014 04:06 PM, David Kupka wrote:

On 09/18/2014 03:44 PM, Rob Crittenden wrote:

David Kupka wrote:

https://fedorahosted.org/freeipa/ticket/4421


You are removing an ACI in this patch. It is always possible it
is no longer needed. Did you test all the client enrollment
scenarios?

rob



As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
it is possible to add krbPrincipalName to host even when there is
already one (or more). And adding one ACI to allow writing
krbCanonicalName to host. But I'm still not really familiar with
ACI so please correct me if I'm wrong.



What refers to is probably the update in ACI.txt - the ACI
alternative to API.txt. David updated an ACI, not removed it.

On that note, what is the reason for this permission change:

-            'ipapermtargetfilter': [
-                '(objectclass=ipahost)',
-                '(!(krbprincipalname=*))',
-            ],

?


Yes, this is exactly the change I was referring to. Permission changes
within a plugin now translate automatically to ACI changes. Sorry I
wasn't clearer.

This ACI gets replaced with a much simpler one and I'm not 100% sure
it will work with all enrollments:

-aci: (targetattr = "krbprincipalname")(targetfilter =
"(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl
"permission:System: Add krbPrincipalName to a Host";allow (write)
groupdn = "ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)

+aci: (targetattr = "krbprincipalname")(targetfilter =
"(objectclass=ipahost)")(version 3.0;acl "permission:System: Add
krbPrincipalName to a Host";allow (write) groupdn =
"ldap:///cn=System: Add krbPrincipalName to a
Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)

The first one restricts writing the attribute only if it isn't already
set. The second lets it be changed unconditionally.


Yeah this is wrong indeed, the point of the ACI is to allow setting the
principal only when it is not already set, which is the OTP enrollment
case. But if krbprincipal is set then this specific permission should
not grant rights to change it.

At least this was my understanding.

Simo.
Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. 

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to