[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes

[David Kupka]

On 01/14/2015 10:27 PM, Martin Kosek wrote:
> Adding freeipa-devel back.
>
> On 01/14/2015 05:58 PM, Simo Sorce wrote:
>> On Wed, 14 Jan 2015 17:47:51 +0100
>> Martin Kosek <mkosek at redhat.com> wrote:
>>
>>> -add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl
>>> "Deny read access to replica configuration"; deny(read, search,
>>> compare) userdn = "ldap:///anyone";)'
>>> +remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0;
>>> acl "Deny read access to replica configuration"; deny(read, search,
>>> compare) userdn = "ldap:///anyone";)'
>>
>> Why this removal ?
>
> It is in the patch description. This container stores winsync
> "replicas". With this deny ACI, admin or anyone else besides Directory
> Manager can see the replicas as deny rules take precedence and this one
> is scoped for ldap://anyone.
>
> My thinking was that this container is not too secret anyway, the only
> information that user get is name of the winsync'ed AD.
>
>>> +dn: cn=config
>>> +add:aci: '(version 3.0;acl "permission:Add Configuration
>>> Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration
>>> Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'
>>
>> Doesn't this allow REplication admin to add any object anywhere in
>> cn=config ?
>> This would be too broad.
>
> It does. I wanted to narrow it with targetfilter '(targetfilter =
> "(cn=changelog5)")' but, it did not work for me, ADD was rejected. Not
> sure why though, when I used '(targetfilter =
> "(objectclass=extensibleobject)")', it worked fine.
>
> I fear this is some problem in DS targetfilter evaluation during ADD
> operation, CCing Ludwig for reference.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Hi!
This works for me. If all concerns regarding PermissionV2 and ACIs in 
general are resolved we can push.

-- 
David Kupka