Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/22/2014 05:02 PM, Alexander Bokovoy wrote: On Mon, 22 Sep 2014, Simo Sorce wrote: On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. I think it is sensible approach to limit aliases for service/host principals only. Currently, David was only adding aliases for hosts - should we then expand the logic also for services? Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Yes, host/service shouldn't be renamed. Additionally, this would make also their certificates obsolete, in certain sense. Ok, this requirement will make it simpler. Here is the logic as I would see it: 1) Whenever an alias is added to existing service with the single krbPrincipalName, also krbCanonicalName is added targetting the original value, object is renamed to the CanonicalName. 2) Framework would prohibit changing the canonical name as that would always be the first name used when running host-add. (if someone does that via ldapmodify, that's their problem). Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? Unfortunately, this is what happens right now if you add more than one krbprincipalname already. Things seem to work fine except you cannot address such objects in Web UI and CLI. That may be a problem, in such case should we rename services to use krbcanonicalname as the rnd instead ? We can do this in a compatible manner I think by renaming on the fly old entries if the still use krbprincipalname and changing our code to start always setting krbcanonicalname on new entries and set both canmonical
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Wed, 24 Sep 2014 10:22:29 +0200 Martin Kosek mko...@redhat.com wrote: On 09/22/2014 05:02 PM, Alexander Bokovoy wrote: On Mon, 22 Sep 2014, Simo Sorce wrote: On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. I think it is sensible approach to limit aliases for service/host principals only. Currently, David was only adding aliases for hosts - should we then expand the logic also for services? I expect aliases will be used almost exclusively with services not hosts. Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Yes, host/service shouldn't be renamed. Additionally, this would make also their certificates obsolete, in certain sense. Ok, this requirement will make it simpler. Here is the logic as I would see it: 1) Whenever an alias is added to existing service with the single krbPrincipalName, also krbCanonicalName is added targetting the original value, object is renamed to the CanonicalName. 1.1) change the framework to start creating new services using krbCanonicalName as RDN. 2) Framework would prohibit changing the canonical name as that would always be the first name used when running host-add. (if someone does that via ldapmodify, that's their problem). We should just prevent modrdn in cn=services and cn=accounts by removing the ability to do so in existing permissions I think. Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? Unfortunately, this
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. -- David Kupka From 3e4a4ce3d951bd83ec046025f5acbfc7a0823f6e Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 2 Sep 2014 16:11:55 +0200 Subject: [PATCH] Allow multiple krbprincipalnames. Allow user to specify multiple krbprincipalnames and krbcanonicalname. User must have IT specialist role or Host Administrators privilege assigned. https://fedorahosted.org/freeipa/ticket/4421 --- ACI.txt| 2 ++ API.txt| 2 +- ipalib/plugins/host.py | 50 -- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/ACI.txt b/ACI.txt index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..1ac48c938c86a42082e4eb9a2cbbc42d9eb6fe8d 100644 --- a/ACI.txt +++ b/ACI.txt @@ -98,6 +98,8 @@ dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=computers,cn=accounts,dc=ipa,dc=example +aci: (targetattr = krbcanonicalname || krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify krbCanonicalName and krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Modify krbCanonicalName and krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: dc=ipa,dc=example aci: (targetattr = cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass)(target = ldap:///cn=computers,cn=compat,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Host Compat Tree;allow (compare,read,search) userdn = ldap:///anyone;;) dn: cn=computers,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index bbd0f507b2faeec0239920cdcff28fe25d618e02..ef1f70397e7685161821a98a92ea575aa6eff532 100644 --- a/API.txt
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? That may be a problem, in such case should we rename services to use krbcanonicalname as the rnd instead ? We can do this in a compatible manner I think by renaming on the fly old entries if the still use krbprincipalname and changing our code to start always setting krbcanonicalname on new entries and set both canmonical and principal name on every new entry. Opinions ? -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Mon, 22 Sep 2014, Simo Sorce wrote: On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. I think it is sensible approach to limit aliases for service/host principals only. Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Yes, host/service shouldn't be renamed. Additionally, this would make also their certificates obsolete, in certain sense. Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? Unfortunately, this is what happens right now if you add more than one krbprincipalname already. Things seem to work fine except you cannot address such objects in Web UI and CLI. That may be a problem, in such case should we rename services to use krbcanonicalname as the rnd instead ? We can do this in a compatible manner I think by renaming on the fly old entries if the still use krbprincipalname and changing our code to start always setting krbcanonicalname on new entries and set both canmonical and principal name on every new entry. Sounds reasonable to me. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/22/2014 04:16 PM, Simo Sorce wrote: On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. Right. But this patch does not allow aliases for users, so we do not do any changes on that side. Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Hmm, I think only admin is allowed to rename hosts right now. But you have a good point about the renames though. Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? Oh, this one is a major issue then. It would mean that, yes. But is that a problem? I think DS is OK with just one attribute from multi-valued attribute to be in the DN, right? Though it may become awkward to manipulate in the framework. Another issue, are we handling the services correctly? They contain check for the host existence given they krbPrincipalName they are also bound to one of the aliases actually. What if somebody creates a service for alias.ipa.server.test and then deletes that alias? We will need to address it too. That may be a problem, in such case should we rename services to use krbcanonicalname as the rnd instead ? We can do this in a compatible manner I think by renaming on the fly old entries if the still use krbprincipalname and changing our code to start always setting krbcanonicalname on new entries and set both canmonical and principal name on every new entry. Opinions ? I am a bit afraid of renaming all services, there may be a *lot* of them. However, with new ACIs there should not be a problem having objects with different RDNs. I am thinking host plugin could change RDN to krbCanonicalName when a second
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Mon, 22 Sep 2014 17:25:27 +0200 Martin Kosek mko...@redhat.com wrote: On 09/22/2014 04:16 PM, Simo Sorce wrote: On Mon, 22 Sep 2014 15:36:01 +0200 David Kupka dku...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Thank you all for explanation and help. I rewrote the patch so it should work as requested now. Also I added tests to reassure the behavior is correct. Sorry for not catching this earlier, but should we also add new IPA MODRDN configuration ? We currently change krbPrincipalName if the user uid changes. However perhaps what we should do is instead to allows aliases only for service/host principals but not for ipa users, at least for now. Right. But this patch does not allow aliases for users, so we do not do any changes on that side. Should we also change permissions so that host/service entries *cannot* be renamed ? Otherwise we'd need to add again IAP MODRDN configuration so that if a service/host krbprincipalname is changed then krbcanonicalname is too. Hmm, I think only admin is allowed to rename hosts right now. But you have a good point about the renames though. Last but not least, and here I regret we may have a BIG issue, I just realize we use krbprincipalname in the Services DN, if we add additional values there does it mean we end up with a multivalued RDN ? Oh, this one is a major issue then. It would mean that, yes. But is that a problem? I think DS is OK with just one attribute from multi-valued attribute to be in the DN, right? Though it may become awkward to manipulate in the framework. Another issue, are we handling the services correctly? They contain check for the host existence given they krbPrincipalName they are also bound to one of the aliases actually. What if somebody creates a service for alias.ipa.server.test and then deletes that alias? We will need to address it too. That may be a problem, in such case should we rename services to use krbcanonicalname as the rnd instead ? We can do this in a compatible manner I think by renaming on the fly old entries if the still use krbprincipalname and changing our code to start always setting krbcanonicalname on new entries and set both canmonical and principal name on every new entry. Opinions ? I am a bit afraid of renaming all services, there
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Simo, Rob - are you OK with this approach? I.e. having a new permission just for allowing adding aliases and not touching the enrollment-related permission? I would assign that new permission to Host Administrators privilege by default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Fri, 19 Sep 2014 15:55:15 +0200 Martin Kosek mko...@redhat.com wrote: On 09/18/2014 09:42 PM, Martin Kosek wrote: On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin Simo, Rob - are you OK with this approach? I.e. having a new permission just for allowing adding aliases and not touching the enrollment-related permission? I would assign that new permission to Host Administrators privilege by default. Yeah, sounds like that would be better. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
https://fedorahosted.org/freeipa/ticket/4421 -- David Kupka From 77faaa3c7887550b493f86f90f654da8e1f42eee Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 2 Sep 2014 16:11:55 +0200 Subject: [PATCH] Allow multiple krbprincipalnames. Allow user to specify multiple krbprincipalnames and krbcanonicalname. User must have IT specialist role or Host Administrators privilege assigned. https://fedorahosted.org/freeipa/ticket/4421 --- ACI.txt| 4 +++- API.txt| 2 +- ipalib/plugins/host.py | 21 + 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ACI.txt b/ACI.txt index 1e6bec0ece554fb2457fae0462c0c673a9b24e41..2a83af6ffba230f2d6ba5ec521652dc2312ce6d0 100644 --- a/ACI.txt +++ b/ACI.txt @@ -85,7 +85,9 @@ aci: (targetattr = businesscategory || cn || createtimestamp || description || dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add Hosts;allow (add) groupdn = ldap:///cn=System: Add Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbcanonicalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbCanonicalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbCanonicalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=computers,cn=accounts,dc=ipa,dc=example +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = enrolledby || objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Enroll a Host;allow (write) groupdn = ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index bbd0f507b2faeec0239920cdcff28fe25d618e02..ef1f70397e7685161821a98a92ea575aa6eff532 100644 --- a/API.txt +++ b/API.txt @@ -1884,7 +1884,7 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Bool('ipakrbokasdelegate', attribute=False, autofill=False, cli_name='ok_as_delegate', multivalue=False, required=False) option: Bool('ipakrbrequirespreauth', attribute=False, autofill=False, cli_name='requires_pre_auth', multivalue=False, required=False) option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False) -option: Str('krbprincipalname?', attribute=True, cli_name='principalname') +option: Str('krbprincipalname?', attribute=True, cli_name='principalname', multivalue=True) option: Str('l', attribute=True, autofill=False, cli_name='locality', multivalue=False, required=False) option: Str('macaddress', attribute=True, autofill=False, cli_name='macaddress', csv=True, multivalue=True, pattern='^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 570bbe56aa0a315a031051f9a895702ba7c35076..53c2b95b44063049d64e8ad96bd5e52f1e1cab48 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -303,16 +303,17 @@ class host(LDAPObject): # This will let it be added if the client ends up enrolling with # an administrator instead. 'ipapermright': {'write'}, -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], 'ipapermdefaultattr': {'krbprincipalname'}, 'replaces': [ '(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(targetfilter = (!(krbprincipalname=*)))(targetattr = krbprincipalname)(version 3.0;acl permission:Add krbPrincipalName to a host; allow (write) groupdn = ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX;)', ], 'default_privileges': {'Host Administrators', 'Host Enrollment'}, }, +'System: Add krbCanonicalName to a Host': { +'ipapermright': {'write'}, +'ipapermdefaultattr': {'krbcanonicalname'}, +'default_privileges': {'Host Administrators'}, +}, 'System: Enroll a Host': { 'ipapermright': {'write'}, 'ipapermdefaultattr': {'objectclass', 'enrolledby'}, @@ -761,6 +762,7 @@ class host_mod(LDAPUpdate):
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 10:19 AM, David Kupka wrote: +'System: Add krbCanonicalName to a Host': { +'ipapermright': {'write'}, +'ipapermdefaultattr': {'krbcanonicalname'}, +'default_privileges': {'Host Administrators'}, +}, Would it make sense to add the krbCanonicalName to System: Add krbPrincipalName to a Host permission as they are semantically connected? I.e. having one ACI without the other does not make much sense? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Thu, 18 Sep 2014 16:28:19 +0200 Martin Kosek mko...@redhat.com wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? I think also both the code and the tests are missing to ensure that the krbPrincipalName *also* *always* lists the krbCanonicalName. I think with the current code you can end up in a situation where you can have a value in KrbCanonicalName and completely different values in KrbPrincipalName. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 04:28 PM, Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? To allow additional krbPrincipalNames. This behavior is requested by the ticket. Martin -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 04:40 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 16:28:19 +0200 Martin Kosek mko...@redhat.com wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? I think also both the code and the tests are missing to ensure that the krbPrincipalName *also* *always* lists the krbCanonicalName. I think with the current code you can end up in a situation where you can have a value in KrbCanonicalName and completely different values in KrbPrincipalName. I didn't realize that there is such requirement although it's logical. I will fix it, thanks. Simo. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
On 09/18/2014 09:11 PM, Simo Sorce wrote: On Thu, 18 Sep 2014 14:57:45 -0400 Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 09/18/2014 04:06 PM, David Kupka wrote: On 09/18/2014 03:44 PM, Rob Crittenden wrote: David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4421 You are removing an ACI in this patch. It is always possible it is no longer needed. Did you test all the client enrollment scenarios? rob As far as I'm aware I'm not removing any ACI. I'm modifying ACI so it is possible to add krbPrincipalName to host even when there is already one (or more). And adding one ACI to allow writing krbCanonicalName to host. But I'm still not really familiar with ACI so please correct me if I'm wrong. What refers to is probably the update in ACI.txt - the ACI alternative to API.txt. David updated an ACI, not removed it. On that note, what is the reason for this permission change: -'ipapermtargetfilter': [ -'(objectclass=ipahost)', -'(!(krbprincipalname=*))', -], ? Yes, this is exactly the change I was referring to. Permission changes within a plugin now translate automatically to ACI changes. Sorry I wasn't clearer. This ACI gets replaced with a much simpler one and I'm not 100% sure it will work with all enrollments: -aci: (targetattr = krbprincipalname)(targetfilter = ((!(krbprincipalname=*))(objectclass=ipahost)))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) +aci: (targetattr = krbprincipalname)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Add krbPrincipalName to a Host;allow (write) groupdn = ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example;) The first one restricts writing the attribute only if it isn't already set. The second lets it be changed unconditionally. Yeah this is wrong indeed, the point of the ACI is to allow setting the principal only when it is not already set, which is the OTP enrollment case. But if krbprincipal is set then this specific permission should not grant rights to change it. At least this was my understanding. Simo. Right. It seems to me we should add keep this permission intact and add a new permission allowing adding krbPrincipalName aliases. This would allow writing both krbPrincipalName and krbCanonicalName. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel