[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Simo Sorce
ssorce at redhat.com
Wed Apr 16 15:56:32 UTC 2014
On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
> On Wed, 16 Apr 2014, Martin Kosek wrote:
> >>>>>>>> >In general I am not sure all authenticated users need access to all this
> >>>>>>>> >info. Alexander ?
> >>>>>>>> SSSD needs to read some of this information for subdomains support.
> >>>>>>>> That would be at least host/*@REALM who needs to access it.
> >>>>>>>
> >>>>>>> Can you please list exactly which ones are needed ?
> >>>>>> SSSD subdomains support needs:
> >>>>>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
> >>>>>> - ipaNTFlatName
> >>>>>> - ipaNTSecurityIdentifier
> >>>>>> - ipaNTTrustedDomainSID
> >>>>>> - cn
> >>>>>
> >>>>> Question is - is there any added value in hiding part of the
> >>>>> trust information from authenticated users? I.e. attributes like
> >>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
> >>>>> attribute anyway?), SID blacklists...
> >>>> Yes. Some of those attributes are needed as internal detail of ipasam --
> >>>> part of how Samba stores this information taken from specific DCE RPC
> >>>> structures.
> >>>>
> >>>>> If yes, we would need to split this permission in 2 and have one for
> >>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
> >>>> Yes. Authenticated users shouldn't get any access to those details:
> >>>> ipantsupportedencryptiontypes
> >>>> ipanttrustattributes
> >>>> ipanttrustauthincoming
> >>>> ipanttrustauthoutgoing
> >>>>
> >>>>
> >>>
> >>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
> >>> then have this permission assigned so that samba can operate the attributes.
> >> 'adtrust agents' and 'trust administrators' should have read, modify,
> >> delete, and search on cn=trusts.
> >>
> >
> >Right. We will probably want to turn most of ACIs in
> >install/updates/60-trusts.update in managed permissions (i.e. defined in
> >trust.py) and make "adtrust agents" and "trust admins" it's members.
> I agree.
>
+1
Simo.
More information about the Freeipa-devel
mailing list