[Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
Martin Kosek
mkosek at redhat.com
Fri Jul 4 13:40:16 UTC 2014
On 07/04/2014 02:49 PM, Petr Viktorin wrote:
> Hello,
>
> The dns-is-enabled command, used by the Web UI to determine if DNS pages should
> be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters.
> However, currently the service entries are not accessible to all users, so the
> check will fail for non-admins.
>
> We talked about this with Martin and agreed that there's no sensitive
> information in the service entries.
> This patch grants read access to all authenticated users.
>
> Simo, is this OK?
>
I think this change is OK. We also only expose the service name, we do not
expose any additional setting.
Would it make sense though that we instead of creating an ACI for cn=masters,
we would just update the 'Anonymous read access to containers' ACI and remove
the 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX"' part?
Given that this ACI is in the DIT root, I would like to keep it as simple as
possible for performance reasons.
Martin
More information about the Freeipa-devel
mailing list