[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes

Wed Jan 14 14:34:52 UTC 2015

On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz <tbordaz at redhat.com> wrote:

> On 01/14/2015 12:03 PM, Martin Kosek wrote:
> > On 01/14/2015 10:58 AM, thierry bordaz wrote:
> >> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
> >>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
> >>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
> >>>>> On Tue, 13 Jan 2015 18:16:11 +0100
> >>>>> Martin Kosek <mkosek at redhat.com> wrote:
> >>>>>
> >>>>>> This is crude first version of the (working) fixes to fix
> >>>>>> Winsync/Passsync problems caused by the PermissionV2
> >>>>>> refactoring.
> >>>>>>
> >>>>>> Simo/Petr3 or others, any concerns?
> >>>>>>
> >>>>> The first patch looks good
> >>>>> the second looks .. broad ?
> >>>>>
> >>>>> Shouldn't you explicitly allow specific attributes ?
> >>>> You mean for:
> >>>>
> >>>> +    'System: Read LDBM database config': {
> >>>> +        'ipapermlocation': DN('cn=config'),
> >>>> +        'ipapermtarget': DN('cn=config,cn=ldbm
> >>>> database,cn=plugins,cn=config'),
> >>>> +        'ipapermbindruletype': 'permission',
> >>>> +        'ipapermright': {'read', 'search', 'compare'},
> >>>> +        'default_privileges': {'Replication Administrators'},
> >>>> +        'ipapermdefaultattr': {'*'},
> >>>> +    },
> >>>>
> >>>> ? I did that as my first try, but then the ACI was not accepted
> >>>> as the attribute I was looking for (nsslapd-changelogdir) is not
> >>>> in the schema as the config is just an extensibleObject. But as
> >>>> I was going through the attributes, I did not see anything
> >>>> super-secret.
> >>>>
> >>>> Petr, is there any way to make permission plugin accept unknown
> >>>> attribute in the permission attribute list, or do we need to use
> >>>> "*" in this case?
> >>> The ACL Syntax Error comes straight from the DS, so there's not
> >>> much IPA can do. The error suggests adding nsslapd-changelogdir
> >>> to the schema, but I'm not sure that's the right solution here.
> >>> Thierry, any comments? See the attached LDIF.
> >>>
> >> Actually this limitation was added with the bug
> >> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
> >> I do not see in the bug, if the ability to define non schema
> >> attribute was creating a problem for IPA
> > Not before, but with PermissionV2 and especially these patches, we
> > may need to control access to unknown attributes in
> > extensibleObject objects.
> One possibility is to revert that fix (with or without configuration 
> toggle). But then in a topology with mixed versions of DS, old DS
> will skipped those aci.
> 
> Using '*' char is not nice but will guaranty a same evaluation on all 
> servers.

We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.

The problem here is in using extensibleObject and not defining a
schema IMO.

That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York