[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 14 14:42:20 UTC 2015
On Wed, 14 Jan 2015, Simo Sorce wrote:
>On Wed, 14 Jan 2015 13:41:54 +0100
>thierry bordaz <tbordaz at redhat.com> wrote:
>
>> On 01/14/2015 12:03 PM, Martin Kosek wrote:
>> > On 01/14/2015 10:58 AM, thierry bordaz wrote:
>> >> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>> >>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>> >>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>> >>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>> >>>>> Martin Kosek <mkosek at redhat.com> wrote:
>> >>>>>
>> >>>>>> This is crude first version of the (working) fixes to fix
>> >>>>>> Winsync/Passsync problems caused by the PermissionV2
>> >>>>>> refactoring.
>> >>>>>>
>> >>>>>> Simo/Petr3 or others, any concerns?
>> >>>>>>
>> >>>>> The first patch looks good
>> >>>>> the second looks .. broad ?
>> >>>>>
>> >>>>> Shouldn't you explicitly allow specific attributes ?
>> >>>> You mean for:
>> >>>>
>> >>>> + 'System: Read LDBM database config': {
>> >>>> + 'ipapermlocation': DN('cn=config'),
>> >>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>> >>>> database,cn=plugins,cn=config'),
>> >>>> + 'ipapermbindruletype': 'permission',
>> >>>> + 'ipapermright': {'read', 'search', 'compare'},
>> >>>> + 'default_privileges': {'Replication Administrators'},
>> >>>> + 'ipapermdefaultattr': {'*'},
>> >>>> + },
>> >>>>
>> >>>> ? I did that as my first try, but then the ACI was not accepted
>> >>>> as the attribute I was looking for (nsslapd-changelogdir) is not
>> >>>> in the schema as the config is just an extensibleObject. But as
>> >>>> I was going through the attributes, I did not see anything
>> >>>> super-secret.
>> >>>>
>> >>>> Petr, is there any way to make permission plugin accept unknown
>> >>>> attribute in the permission attribute list, or do we need to use
>> >>>> "*" in this case?
>> >>> The ACL Syntax Error comes straight from the DS, so there's not
>> >>> much IPA can do. The error suggests adding nsslapd-changelogdir
>> >>> to the schema, but I'm not sure that's the right solution here.
>> >>> Thierry, any comments? See the attached LDIF.
>> >>>
>> >> Actually this limitation was added with the bug
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
>> >> I do not see in the bug, if the ability to define non schema
>> >> attribute was creating a problem for IPA
>> > Not before, but with PermissionV2 and especially these patches, we
>> > may need to control access to unknown attributes in
>> > extensibleObject objects.
>> One possibility is to revert that fix (with or without configuration
>> toggle). But then in a topology with mixed versions of DS, old DS
>> will skipped those aci.
>>
>> Using '*' char is not nice but will guaranty a same evaluation on all
>> servers.
>
>We requested attribute validation when adding ACIs, w/o it it was very
>simple to make typos, which would be fatal for DENY ACIs.
>
>The problem here is in using extensibleObject and not defining a
>schema IMO.
>
>That said I am ok with the targetattr with appended asterisk to the
>undefined attribute name.
+1. Another alternative is to use some symbol that could not be present
in the attribute name at the beginning of the targetattr to switch off
the schema checks, e.g. targetattr=">nssldapd-changelogdir".
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list