[Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens
Noriko Hosoi
nhosoi at redhat.com
Thu Jan 9 23:15:55 UTC 2014
Simo Sorce wrote:
> On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote:
>> This patch is independent from my patches 0028-0031 and can be merged in
>> any order.
>>
>> This patch has a bug, but I can't figure it out. We need to set
>> nsslapd-access-userattr-strict on cn=config to "off".
> Uhmm what is the effect on ACL evaluation of changing this boolean ?
Ticket 47653 - Need a way to allow users to create entries assigned
to themselves
Bug Description: There are cases where users need to be able to
create, edit and delete
their own entries. Using an ACI with the
"userattr" keyword does not
work with ADD operations(to prevent a security
hole). This prevents IPA's
OTP plugin from performing some necessary operations.
Fix Description: Added a new config attribute
"nsslapd-access-userattr-strict". The default
is "on" or strict. For the IPA case, it would
need to be set to "off" in
order to allow the desired behavior.
https://fedorahosted.org/389/ticket/47653
This patch is included in 389-ds-base-1.3.2.10 and newer.
> I can;t figure out from your commit not from 389ds commit what exactly
> changes and how it impacts the security of the directory.
>
> I ask because I was planning on using userattr to protect some
> operations in the password plugin but was waiting due to bug:
> https://fedorahosted.org/389/ticket/47571 which is beeing resolved.
Thank you for waiting. We are going to add the fix to the next release
(1.3.2.11).
Thanks!
--noriko
>
> I want to make sure your change won't change what this ACIs would allow.
>
> Is this option simply allowing the use of add/delete ACIs to be
> specified in conjunction with userattr, so that a user can add an attr
> only if it contains its own DN ?
>
> Will it allow the user to add multiple values to the same attr as long
> as one of the is the userDN ? O will it restrict that case ?
>
> (I know that ipaTokenOwner is a single-value attribute, but the
> mechanism you are enabling here is general, and I want to be sure of
> what the semantics are)
>
> Simo.
>
More information about the Freeipa-devel
mailing list