[Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens

Fri Jan 10 18:49:14 UTC 2014

Hi Simo,

Simo Sorce wrote:
> On Fri, 2014-01-10 at 12:15 -0500, Simo Sorce wrote:
>> This is not what I had in mind, our use cases is something like this:
>> aci: (target=ldap:///dc=bar)(targetattr=*) (version 3.0; acl "userattr
>> test"; allow (add) userattr = "managedby#USERDN";)
>>
>> ldapmodify -D uid=user,dc=bar ... <<EOF

dn: cn=somobj,dc=bar
...
managedby: uid=user,dc=bar

> ^^^^^^^^ Sorry this should have been ldapadd.
> Simo.
Yes, it works.

aci: (target=ldap:///o=my.com)(targetattr=*) (version 3.0; acl "userattr 
test" ; allow (add,write,delete,read,search,compare) userattr = 
"description#USERDN";)

$ ldapmodify ... -D 'uid=nuser0,o=my.com' -w Nuser0 -a << EOF
dn: uid=Nuser6, o=my.com
...
description: uid=nuser0,o=my.com
EOF

$ ldapsearch... -b "o=my.com" "(uid=nuser6)" description
dn: uid=Nuser6,o=my.com
description: uid=nuser0,o=my.com

# delete uid=nuser6

# attempt to add the entry by other user fails:
$ ldapmodify ... -D 'uid=nuser1,o=my.com' -w Nuser1 -a << EOF
dn: uid=Nuser6, o=my.com
...
description: uid=nuser0,o=my.com
EOF
ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege to the 
'userPassword' attribute
>
>> dn: cn=somobj,dc=bar
>> ...
>> managedby: uid=user,dc=bar
>>
>>
>> This should succeed, however if managedby includes anything but
>> "uid=user,dc=bar" it should fail.
>>
>>>>>> Will it allow the user to add multiple values to the same attr as long
>>>>>> as one of the is the userDN ? O will it restrict that case ?
>>>> This is also important, if attrFoo is a multivalued attribute, does this
>>>> option allow any values to be set as long as one of them is userDN ?
>>>> Or will it enforce that *only* userDN is add in the add operation ?
>>> As long as the type of the attribute is not restricted as DN syntax, it
>>> takes any value including DN.  I tested with 'description' (e.g.,
>>> userattr = "description#USERDN") and verified it takes userDN as well as
>>> any other values.
>>>
>>> $ ldapmodify ... -D 'cn=directory manager' -w <pw>
>>> dn: uid=nuser4,o=my.com
>>> changetype: modify
>>> add: description
>>> description: uid=nuser4,o=my.com
>>>
>>> $ ldapmodify ... -D 'uid=nuser4,o=my.com' -w Nuser4
>>> dn: uid=nuser4,o=my.com
>>> changetype: modify
>>> add: description
>>> description: uid=nuser0,o=my.com
>>>
>>> modifying entry uid=nuser4,o=my.com
>>>
>>> $ ldapmodify ... -D 'uid=nuser0,o=my.com' -w Nuser0
>>> dn: uid=nuser4,o=my.com
>>> changetype: modify
>>> add: description
>>> description: uid=nuser1,o=my.com
>>>
>>> modifying entry uid=nuser4,o=my.com
>>>
>>> $ ldapmodify ... -D 'uid=nuser1,o=my.com' -w Nuser1
>>> dn: uid=nuser4,o=my.com
>>> changetype: modify
>>> add: description
>>> description: value
>>>
>>> $ ldapsearch ... -D 'cn=directory manager' -w <pw> -b
>>> "uid=nuser4,o=my.com" description
>>> dn: uid=Nuser4,o=my.com
>>> description: uid=nuser4,o=my.com
>>> description: uid=nuser0,o=my.com
>>> description: uid=nuser1,o=my.com
>>> description: value
>> If I read this correctly, and I am not 100% sure yet, it seem to me this
>> is exactly the opposite of what IPA needs.
>>
>> Our need is that uid=userX,... can only write its own DN as value or the
>> attributes we are allowing through userattr.
You want to allow this
$ ldapmodify ... -D 'uid=*userX*,o=my.com' -w userX << EOF
dn: uid=userY,o=my.com
changetype: modify
replace: managedby
managedby: uid=*userX*,o=my.com
EOF

But NOT allow this?
$ ldapmodify ... -D 'uid=*userX*,o=my.com' -w userX << EOF
dn: uid=userY,o=my.com
changetype: modify
replace: managedby
managedby: uid=*userZ*,o=my.com
EOF

I don't think we have the control there...
--noriko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140110/5ada356f/attachment.htm>