[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

[Alexander Bokovoy]

On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>> >In general I am not sure all authenticated users need access to all this
>>>>>>>> >info. Alexander ?
>>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>
>>>>>>> Can you please list exactly which ones are needed ?
>>>>>> SSSD subdomains support needs:
>>>>>>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>     - ipaNTFlatName
>>>>>>     - ipaNTSecurityIdentifier
>>>>>>     - ipaNTTrustedDomainSID
>>>>>>     - cn
>>>>>
>>>>> Question is - is there any added value in hiding part of the
>>>>> trust information from authenticated users? I.e. attributes like
>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>>> attribute anyway?), SID blacklists...
>>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>>> part of how Samba stores this information taken from specific DCE RPC
>>>> structures.
>>>>
>>>>> If yes, we would need to split this permission in 2 and have one for
>>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>>>> Yes. Authenticated users shouldn't get any access to those details:
>>>>   ipantsupportedencryptiontypes
>>>>   ipanttrustattributes
>>>>   ipanttrustauthincoming
>>>>   ipanttrustauthoutgoing
>>>>
>>>>
>>>
>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
>>> then have this permission assigned so that samba can operate the attributes.
>> 'adtrust agents' and 'trust administrators' should have read, modify,
>> delete, and search on cn=trusts.
>>
>
>Right. We will probably want to turn most of ACIs in
>install/updates/60-trusts.update in managed permissions (i.e. defined in
>trust.py) and make "adtrust agents" and "trust admins" it's members.
I agree. 

-- 
/ Alexander Bokovoy