[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name

Martin Kosek mkosek at redhat.com
Tue Apr 15 07:43:49 UTC 2014 

On 04/15/2014 09:38 AM, Martin Kosek wrote:
> On 04/14/2014 07:18 PM, Simo Sorce wrote:
>> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
>>> Hello,
>>>
>>> The first patch adds default read permissions to krbtpolicy. Since the 
>>> plugin manages entries in two trees, there are two permissions. Since 
>>> two permissions are needed to cover krbtpolicy, it can't be used as a 
>>> permission's --type.
>>> The permissions are added to a new privilege, 'Kerberos Ticket Policy 
>>> Readers'.
>>>
>>> The second patch adds an ACI for reading the Kerberos realm name. Since 
>>> client enrollment won't work without this, I don't see a reason for 
>>> having it managed by a permission.
>>>
>>
>> LGTM
>>
>> Simo.
>>
> 
> 521 breaks a unit test:
> 
> ======================================================================
> FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using
> --subtree
> ----------------------------------------------------------------------
> Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
>     self.test(*self.arg)
>   File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in
> <lambda>
>     func = lambda: self.check(nice, **test)
>   File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 319, in
> check
>     self.check_output(nice, cmd, args, options, expected, extra_check)
>   File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 359, in
> check_output
>     assert_deepequal(expected, got, nice)
>   File "/root/freeipa-master/ipatests/util.py", line 344, in assert_deepequal
>     assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>   File "/root/freeipa-master/ipatests/util.py", line 352, in assert_deepequal
>     VALUE % (doc, expected, got, stack)
> AssertionError: assert_deepequal: expected != got.
>   test_permission[37]: permission_find: Search for u'Testperm_RN' using --subtree
>   expected = 1
>   got = 2
>   path = ('count',)
> 
> Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as we
> miss permissions for users).
> 
> Martin

/me hit Send too soon.

Although 522 works functionally and client now discovers the IPA server, there
is no path from SUFFIX to cn=REALM for anonymous users.

I would personally change the ACI to

(targetattr = "cn || objectclass")(targetfilter =
"(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl
"Anonymous read access to Kerberos container";allow (read,compare,search)
userdn = "ldap:///anyone";)'

and put it to cn=kerberos,$SUFFIX (which is of krbcontainer objectclass).

Martin

More information about the Freeipa-devel mailing list