[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Martin Kosek
mkosek at redhat.com
Wed Apr 16 14:55:30 UTC 2014
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
> On Wed, 16 Apr 2014, Simo Sorce wrote:
>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>> >> + 'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>> >> + 'ipanttrustposixoffset',
>>> >> 'ipantsupportedencryptiontypes',
>>> >> + 'ipantsidblacklistincoming',
>>> >> 'ipantsidblacklistoutgoing',
>>> >> + # ipaNTDomainAttrs:
>>> >> + 'ipantsecurityidentifier', 'ipantflatname',
>>> >> 'ipantdomainguid',
>>> >> + 'ipantfallbackprimarygroup',
>>> >> + },
>>> >> + },
>>> >> + }
>>> >>
>>> >> label = _('Trusts')
>>> >> label_singular = _('Trust')
>>> >
>>> >In general I am not sure all authenticated users need access to all this
>>> >info. Alexander ?
>>> SSSD needs to read some of this information for subdomains support.
>>> That would be at least host/*@REALM who needs to access it.
>>
>> Can you please list exactly which ones are needed ?
> SSSD subdomains support needs:
> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
> - ipaNTFlatName
> - ipaNTSecurityIdentifier
> - ipaNTTrustedDomainSID
> - cn
Question is - is there any added value in hiding part of the
trust information from authenticated users? I.e. attributes like
ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
attribute anyway?), SID blacklists...
If yes, we would need to split this permission in 2 and have one for
authenticated users and one for "Trust Adminitrators" and "Trust Readers".
Martin
More information about the Freeipa-devel
mailing list