[Freeipa-devel] Read access to container entries

Martin Kosek mkosek at redhat.com
Tue Apr 1 11:32:29 UTC 2014

On 03/31/2014 06:01 PM, Simo Sorce wrote:
> On Mon, 2014-03-31 at 15:39 +0200, Martin Kosek wrote:
>> On 03/31/2014 02:53 PM, Simo Sorce wrote:
>>> On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote:
>> ...
>>>>> 3) Add a special attribute to mark "public" containers, and add an ACI 
>>>>> with a filter on that. Something like objectClass=ipaPublicContainer 
>>>>> would do.
>>>> there is one more option
>>>> 4) add an allow aci for cn=accounts,$S and a deny aci for 
>>>> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S
>>> We want to get rid of deny ACIs if at all possible.
>>>> In general I think we should implement 1), there will be other scenarios 
>>>> where it could be useful. If something is needed imemdiately I would 
>>>> also prefer 3)
>>> I wonder, can we have an objectclass that defines no attributes ?
>>> Or do we always need to have a MAY at least ?
>> This particular objectclass could have just one MUST attribute - cn. Similarly
>> to what nsContainer has.
>>> Anyway I agree that the simplest solution would be to have an
>>> objectclass to filter on.
>>> But I see 2 options.
>>> 1. objectClass=ipaPublicContainer
>>> 2. objectClass=ipaPrivateContainer
>>> The problem with the second is adding a
>>> (!(objectclass=ipaPrivateContainer)) everywhere ...
>> I already elaborated on that topic later in this thread, please check it. It
>> also includes an attached list of container we already have. IMO most of
>> containers we have will be public, rather than private as LDAP nsContainer's cn
>> attribute is semantically not meant to contain secrets we want to hide.
>> So instead of adding 61 ipaPublicContainer everywhere I would just allow
>> reading nsContainers (cn+objectclass) anonymously + have ipaPrivateContainer
>> available in case we need it (I am not aware of any such case though).
> Yeah sorry, I replied in order.
> I agree with your proposal of allowing (objectclass=nsContainer) and a
> targetfilter that simply excludes the cn=etc subtree.
> Simo.

Ok. I just wonder if we really need the ipaPrivateContainer ACI exception. We
may want to wait with such objectclass unless it is really needed. For now, it
did not seem to me that there is any entry where it is needed.


More information about the Freeipa-devel mailing list