[Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
Martin Kosek
mkosek at redhat.com
Fri Jul 4 14:02:10 UTC 2014
On 07/04/2014 03:55 PM, Petr Viktorin wrote:
> On 07/04/2014 03:40 PM, Martin Kosek wrote:
>> On 07/04/2014 02:49 PM, Petr Viktorin wrote:
>>> Hello,
>>>
>>> The dns-is-enabled command, used by the Web UI to determine if DNS
>>> pages should
>>> be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in
>>> cn=masters.
>>> However, currently the service entries are not accessible to all
>>> users, so the
>>> check will fail for non-admins.
>>>
>>> We talked about this with Martin and agreed that there's no sensitive
>>> information in the service entries.
>>> This patch grants read access to all authenticated users.
>>>
>>> Simo, is this OK?
>>>
>>
>> I think this change is OK. We also only expose the service name, we do
>> not expose any additional setting.
>>
>> Would it make sense though that we instead of creating an ACI for
>> cn=masters, we would just update the 'Anonymous read access to
>> containers' ACI and remove the
>> 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX"' part?
>
> That would grant *anonymous* access the masters & services. Do we want that?
Hmm, no, I do not think this we want to do that.
Your change looks good to me then. Besides others, it fixes
https://fedorahosted.org/freeipa/ticket/4425
so I added it to patch description.
ACK. Pushed to master: 23feb4e0271d6876e2137f301f209a9f3af19084
Martin
More information about the Freeipa-devel
mailing list