[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Martin Kosek
mkosek at redhat.com
Wed Jan 14 21:27:09 UTC 2015
Adding freeipa-devel back.
On 01/14/2015 05:58 PM, Simo Sorce wrote:
> On Wed, 14 Jan 2015 17:47:51 +0100
> Martin Kosek <mkosek at redhat.com> wrote:
>
>> -add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl
>> "Deny read access to replica configuration"; deny(read, search,
>> compare) userdn = "ldap:///anyone";)'
>> +remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0;
>> acl "Deny read access to replica configuration"; deny(read, search,
>> compare) userdn = "ldap:///anyone";)'
>
> Why this removal ?
It is in the patch description. This container stores winsync "replicas". With
this deny ACI, admin or anyone else besides Directory Manager can see the
replicas as deny rules take precedence and this one is scoped for ldap://anyone.
My thinking was that this container is not too secret anyway, the only
information that user get is name of the winsync'ed AD.
>> +dn: cn=config
>> +add:aci: '(version 3.0;acl "permission:Add Configuration
>> Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration
>> Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'
>
> Doesn't this allow REplication admin to add any object anywhere in
> cn=config ?
> This would be too broad.
It does. I wanted to narrow it with targetfilter '(targetfilter =
"(cn=changelog5)")' but, it did not work for me, ADD was rejected. Not sure why
though, when I used '(targetfilter = "(objectclass=extensibleobject)")', it
worked fine.
I fear this is some problem in DS targetfilter evaluation during ADD operation,
CCing Ludwig for reference.
Martin
More information about the Freeipa-devel
mailing list