[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Martin Kosek
mkosek at redhat.com
Wed Jan 14 11:03:05 UTC 2015
On 01/14/2015 10:58 AM, thierry bordaz wrote:
> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>>>> Martin Kosek <mkosek at redhat.com> wrote:
>>>>
>>>>> This is crude first version of the (working) fixes to fix
>>>>> Winsync/Passsync problems caused by the PermissionV2 refactoring.
>>>>>
>>>>> Simo/Petr3 or others, any concerns?
>>>>>
>>>>
>>>> The first patch looks good
>>>> the second looks .. broad ?
>>>>
>>>> Shouldn't you explicitly allow specific attributes ?
>>>
>>> You mean for:
>>>
>>> + 'System: Read LDBM database config': {
>>> + 'ipapermlocation': DN('cn=config'),
>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>>> database,cn=plugins,cn=config'),
>>> + 'ipapermbindruletype': 'permission',
>>> + 'ipapermright': {'read', 'search', 'compare'},
>>> + 'default_privileges': {'Replication Administrators'},
>>> + 'ipapermdefaultattr': {'*'},
>>> + },
>>>
>>> ? I did that as my first try, but then the ACI was not accepted as the
>>> attribute I was looking for (nsslapd-changelogdir) is not in the schema
>>> as the config is just an extensibleObject. But as I was going through
>>> the attributes, I did not see anything super-secret.
>>>
>>> Petr, is there any way to make permission plugin accept unknown
>>> attribute in the permission attribute list, or do we need to use "*" in
>>> this case?
>>
>> The ACL Syntax Error comes straight from the DS, so there's not much IPA can
>> do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
>> sure that's the right solution here.
>> Thierry, any comments? See the attached LDIF.
>>
> Actually this limitation was added with the bug
> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
> I do not see in the bug, if the ability to define non schema attribute was
> creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we may need to
control access to unknown attributes in extensibleObject objects.
More information about the Freeipa-devel
mailing list