[Freeipa-users] Search Base issues

Martin Kosek mkosek at redhat.com
Wed Sep 3 07:29:06 UTC 2014 

On 09/03/2014 09:02 AM, Martin Kosek wrote:
> In the meantime, you can use the workaround that Rob sent, you would just need
> to delete it again when the fix is in, so that the permissions do not step on
> each other.

Actually, wait a minute. I think Rob's ACI example may be too wide, it may
expose any attribute in the compat tree, including a potential userPassword.

As I see, it seems that slapi-nis plugin do not fortunately expose that, but it
is safer to just list the attributes that one wants to display (this is also
what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more).

I added a respective permission via Web UI (one part of it cannot be added via
CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now
works for me. See attached example.

Resulting permission shown in CLI:

# ipa permission-show "TEMPORARY - Read compat tree"
  Permission name: TEMPORARY - Read compat tree
  Granted rights: read, search, compare
  Effective attributes: cn, description, gecos, gidnumber, homedirectory,
loginshell, memberuid,
                        objectclass, uid, uidnumber
  Bind rule type: all
  Subtree: dc=mkosek-fedora20,dc=test
  ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test

It is much easier to manipulate than ACI added via ldapmodify.

HTH,
Martin

> 
> Martin
> 
> On 09/02/2014 11:09 PM, Rob Crittenden wrote:
>> Chris Whittle wrote:
>>> If I do this 
>>>
>>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>>
>>> It works fine
>>
>> AFAICT there currently isn't a permission for the compat tree. The admin
>> user can do it via 'Admin can manage any entry" and of course DM can do
>> it because it can do anything.
>>
>> A temporary workaround would be to add an aci manually:
>>
>> dn: dc=example,dc=com
>> changetype: modify
>> add: aci
>> aci: (targetattr = "*")(target =
>> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl
>> "Read canlogin compat tree";allow (compare,read,search) userdn =
>> "ldap:///all";)
>>
>> This won't show up as a permission and will grant all authenticated
>> users read access to the canlogin compat tree. I'm assuming here this
>> contains entries keyed on uid.
>>
>> rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: permission-add-compat.png
Type: image/png
Size: 109917 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140903/0bcab441/attachment.png>

More information about the Freeipa-users mailing list