[Freeipa-devel] GetEffectiveRights and add ACIs

Ludwig Krispenz lkrispen at redhat.com
Fri Jan 13 10:01:29 UTC 2017 

Hi,

if you look at: 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html#ex-ger-non-entry

then it looks like you can provide GER a bit of information eg 
objectclass of the new entry, so that the existing aci would be 
selected. Maybe can_add can be extended.

Ludwig

On 01/13/2017 09:12 AM, thierry bordaz wrote:
> Hi Fraser,
>
> I failed to reproduce you test case, I mean the aci granted the add 
> right to a group member to ADD an entry with the filtered attribute.
> Now I have a doubt to test attribute valule on an entry that does not 
> yet exist.
>
> Would you run /usr/lib64/mozldap/ldapsearch   -D "cn=directory 
> manager" W -b "cn=cas,cn=ca,dc=ipa,dc=local " -J 
> "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=alice,cn=users,cn=accounts,dc=ipa,dc=local" 
> "(objectclass=*)"
>
> to get the effective rights under cn=cas,cn=ca,dc=ipa,dc=local
>
> Also you may replay your test case with ACL logs 
> (http://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting), 
> nsslapd-errorlog-level: 262272
>
>
> thanks
> thierry
> On 01/13/2017 07:21 AM, Fraser Tweedale wrote:
>> In ca_add.pre_callback, we have:
>>
>>    if not ldap.can_add(dn[1:]):
>>        raise ACIError(...)
>>
>> `can_add' uses the GetEffectiveRights control to see what rights the
>> user has.
>>
>> When a user with the 'System: Add CA' permission attempts to add a
>> CA, the above ACIError gets raised.  This is definitely a bug. I
>> think it is a bug in DS GetEffectiveRights code.
>>
>> The ACI in play is:
>>
>>    dn: cn=cas,cn=ca,dc=ipa,dc=local
>>    aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl 
>> "permission:System
>>      : Add CA";allow (add) groupdn = "ldap:///cn=System: Add 
>> CA,cn=permissions,cn=
>>      pbac,dc=ipa,dc=local";)
>>    ...
>>
>> The user definitely has the right membership:
>>
>>    dn: uid=alice,cn=users,cn=accounts,dc=ipa,dc=local
>>    memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=local
>>    memberof: cn=CA Administrator,cn=roles,cn=accounts,dc=ipa,dc=local
>>    memberof: cn=LWCA 
>> Administration,cn=privileges,cn=pbac,dc=ipa,dc=local
>>    memberof: cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=local
>>
>> William suggested I check whether direct vs. indirect membership
>> made a difference.  It does not.
>>
>> A wild guess is that the algorithm that computes whether the subject
>> has add access under the given entry does not take the targetfilter
>> into account.  To solve, perhaps we could ignore ACI targetfilter when
>> computing add access for GER.
>>
>> Alternatively, is there another way for a user to determine if they
>> can add an entry at a particular place, without actually doing the
>> add?
>>
>> Thanks,
>> Fraser
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

More information about the Freeipa-devel mailing list