[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
thierry bordaz
tbordaz at redhat.com
Wed Jan 14 12:41:54 UTC 2015
On 01/14/2015 12:03 PM, Martin Kosek wrote:
> On 01/14/2015 10:58 AM, thierry bordaz wrote:
>> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>>>>> Martin Kosek <mkosek at redhat.com> wrote:
>>>>>
>>>>>> This is crude first version of the (working) fixes to fix
>>>>>> Winsync/Passsync problems caused by the PermissionV2 refactoring.
>>>>>>
>>>>>> Simo/Petr3 or others, any concerns?
>>>>>>
>>>>> The first patch looks good
>>>>> the second looks .. broad ?
>>>>>
>>>>> Shouldn't you explicitly allow specific attributes ?
>>>> You mean for:
>>>>
>>>> + 'System: Read LDBM database config': {
>>>> + 'ipapermlocation': DN('cn=config'),
>>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>>>> database,cn=plugins,cn=config'),
>>>> + 'ipapermbindruletype': 'permission',
>>>> + 'ipapermright': {'read', 'search', 'compare'},
>>>> + 'default_privileges': {'Replication Administrators'},
>>>> + 'ipapermdefaultattr': {'*'},
>>>> + },
>>>>
>>>> ? I did that as my first try, but then the ACI was not accepted as the
>>>> attribute I was looking for (nsslapd-changelogdir) is not in the schema
>>>> as the config is just an extensibleObject. But as I was going through
>>>> the attributes, I did not see anything super-secret.
>>>>
>>>> Petr, is there any way to make permission plugin accept unknown
>>>> attribute in the permission attribute list, or do we need to use "*" in
>>>> this case?
>>> The ACL Syntax Error comes straight from the DS, so there's not much IPA can
>>> do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
>>> sure that's the right solution here.
>>> Thierry, any comments? See the attached LDIF.
>>>
>> Actually this limitation was added with the bug
>> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
>> I do not see in the bug, if the ability to define non schema attribute was
>> creating a problem for IPA
> Not before, but with PermissionV2 and especially these patches, we may need to
> control access to unknown attributes in extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS will
skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150114/d4b2a3fa/attachment.htm>
More information about the Freeipa-devel
mailing list