[Freeipa-devel] [PATCH] 0506 Default read ACIs for hosts

Martin Kosek mkosek at redhat.com
Wed Apr 9 10:25:15 UTC 2014

On 04/03/2014 12:09 PM, Petr Viktorin wrote:
> Hello,
> This adds read permissions to read hosts.
> Read access is given to all authenticated users.
> For reading host membership info, there is a separate permission that also
> defaults to all authenticated users.
> The userPassword attribute is not included for obvious reasons.

1) We decided to show hosts only to authenticated users by default. I am just
thinking - should some portion of hosts be readable just like groups and users
are? For example at least the host core defined by nsHost objectlass?

objectClasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass'
 SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description $ l $ nsHostLoc
 ation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' )

Are application supposed to be able to anonymously read that information?

2) Do we want to count enrolledBy and managedBy attribute to "System: Read Host
Membership" permission or should it be included in the "Read Hosts" permission?

If we want to stick with previous behavior, we would want to have only
"memberOf" listed as this is how our original member handling ACI looks like:

install/share/default-aci.ldif:aci: (targetattr = "memberOf || memberHost ||
memberUser")(version 3.0; acl "No anonymous access to member information"; deny
(read,search,compare) userdn != "ldap:///all";

3) I could not functionally test if e.g. clients and replicas still enroll as
we do not have an ACI for krbtpolicy/krbRealmContainer yet and
ipa-client-install searches for it.

Speaking of which, we will need to have an ACI for reading a portion of
krbRealmContainer anonymously to enable IPA client autodiscovery
(cn+objectclass should be sufficient).

We can wait with the functional testing until you get to krbRealmContainer though.


More information about the Freeipa-devel mailing list