[Freeipa-devel] [PATCHES] 0532-0533 Extend anonymous read ACI for containers

Petr Viktorin pviktori at redhat.com
Tue Apr 22 11:07:02 UTC 2014 

On 04/18/2014 04:17 PM, Simo Sorce wrote:
> On Fri, 2014-04-18 at 16:11 +0200, Martin Kosek wrote:
>> On 04/18/2014 04:07 PM, Simo Sorce wrote:
>>> On Fri, 2014-04-18 at 15:49 +0200, Martin Kosek wrote:
>>>> On 04/18/2014 03:43 PM, Simo Sorce wrote:
>>>>> On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote:
>>>>>> This extends the "Anonymous read access to containers" ACI to cover
>>>>>> cn=etc, as discussed in [0].
>>>>>>
>>>>>> A new objectClass is added so we can exclude virtual ops with
>>>>>> targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23).
>>>>>>
>>>>>>
>>>>>> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html
>>>>>>
>>>>>
>>>>> LGTM
>>>>>
>>>>
>>>> It works perfectly except one subtree we missed during initial review and which
>>>> we should discuss:
>>>>
>>>> cn=replicas,cn=ipa,cn=etc,SUFFIX
>>>>
>>>> It contains list of replicas (not FreeIPA masters) connected to FreeIPA.
>>>> Currently, this only affects Winsync replicas.
>>>>
>>>> I just verified that anonymous user can retrieve list of connected ADs via
>>>> winsync. Question is, how to prevent it given that this is created dynamically
>>>> also by older FreeIPA server and given that it has no special objectsclass to
>>>> base a filtration on.
>>>>
>>>> Maybe we would need to add a deny ACI in this case after all?
>>>
>>> Or we can add an objectclass here too, the update script will then need
>>> to look at existing objects dynamically and update them.
>>
>> This would not work well as older FreeIPA servers would not use this
>> objectclass when "ipa-replica-manage connect --winsync" is run on them.
>
> I know, although you are probably not supposed to keep creating these
> kind of agreements until you finish upgrading all the server, we always
> advice people to upgrade the infra in a matter of weeks.
>
>>> However we could also ass a deny aci only in this subtree for now and
>>> change it later, if we think that's too much work.
>>>
>>> We have plans to revisit shared replica information storage anyway, so
>>> perhaps it is not worth spending too much time on this now.
>>>
>>> Simo.
>>
>> deny ACI is preventing access to nsContainer to anonymous users in
>> cn=replica... is probably it is our best shot ATM unless we find a better solution.
>
> Agree.
>
> simo.


Updated patch attached.

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0532.2-Add-a-new-ipaVirtualOperation-objectClass-to-virtual.patch
Type: text/x-patch
Size: 7353 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140422/79a99a55/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0533.2-Extend-anonymous-read-ACI-for-containers.patch
Type: text/x-patch
Size: 1794 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140422/79a99a55/attachment-0001.bin>

More information about the Freeipa-devel mailing list