[Freeipa-devel] Read access to container entries
Simo Sorce
simo at redhat.com
Mon Mar 31 16:01:00 UTC 2014
On Mon, 2014-03-31 at 15:39 +0200, Martin Kosek wrote:
> On 03/31/2014 02:53 PM, Simo Sorce wrote:
> > On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote:
> ...
> >>> 3) Add a special attribute to mark "public" containers, and add an ACI
> >>> with a filter on that. Something like objectClass=ipaPublicContainer
> >>> would do.
> >> there is one more option
> >> 4) add an allow aci for cn=accounts,$S and a deny aci for
> >> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S
> >
> > We want to get rid of deny ACIs if at all possible.
> >
> >> In general I think we should implement 1), there will be other scenarios
> >> where it could be useful. If something is needed imemdiately I would
> >> also prefer 3)
> >
> > I wonder, can we have an objectclass that defines no attributes ?
> > Or do we always need to have a MAY at least ?
>
> This particular objectclass could have just one MUST attribute - cn. Similarly
> to what nsContainer has.
>
> > Anyway I agree that the simplest solution would be to have an
> > objectclass to filter on.
> >
> > But I see 2 options.
> > 1. objectClass=ipaPublicContainer
> > 2. objectClass=ipaPrivateContainer
> >
> > The problem with the second is adding a
> > (!(objectclass=ipaPrivateContainer)) everywhere ...
> >
>
> I already elaborated on that topic later in this thread, please check it. It
> also includes an attached list of container we already have. IMO most of
> containers we have will be public, rather than private as LDAP nsContainer's cn
> attribute is semantically not meant to contain secrets we want to hide.
>
> So instead of adding 61 ipaPublicContainer everywhere I would just allow
> reading nsContainers (cn+objectclass) anonymously + have ipaPrivateContainer
> available in case we need it (I am not aware of any such case though).
Yeah sorry, I replied in order.
I agree with your proposal of allowing (objectclass=nsContainer) and a
targetfilter that simply excludes the cn=etc subtree.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list