[Freeipa-devel] Read access to container entries

Simo Sorce simo at redhat.com
Tue Apr 1 12:31:23 UTC 2014 

On Tue, 2014-04-01 at 13:32 +0200, Martin Kosek wrote:
> On 03/31/2014 06:01 PM, Simo Sorce wrote:
> > On Mon, 2014-03-31 at 15:39 +0200, Martin Kosek wrote:
> >> On 03/31/2014 02:53 PM, Simo Sorce wrote:
> >>> On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote:
> >> ...
> >>>>> 3) Add a special attribute to mark "public" containers, and add an ACI 
> >>>>> with a filter on that. Something like objectClass=ipaPublicContainer 
> >>>>> would do.
> >>>> there is one more option
> >>>> 4) add an allow aci for cn=accounts,$S and a deny aci for 
> >>>> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S
> >>>
> >>> We want to get rid of deny ACIs if at all possible.
> >>>
> >>>> In general I think we should implement 1), there will be other scenarios 
> >>>> where it could be useful. If something is needed imemdiately I would 
> >>>> also prefer 3)
> >>>
> >>> I wonder, can we have an objectclass that defines no attributes ?
> >>> Or do we always need to have a MAY at least ?
> >>
> >> This particular objectclass could have just one MUST attribute - cn. Similarly
> >> to what nsContainer has.
> >>
> >>> Anyway I agree that the simplest solution would be to have an
> >>> objectclass to filter on.
> >>>
> >>> But I see 2 options.
> >>> 1. objectClass=ipaPublicContainer
> >>> 2. objectClass=ipaPrivateContainer
> >>>
> >>> The problem with the second is adding a
> >>> (!(objectclass=ipaPrivateContainer)) everywhere ...
> >>>
> >>
> >> I already elaborated on that topic later in this thread, please check it. It
> >> also includes an attached list of container we already have. IMO most of
> >> containers we have will be public, rather than private as LDAP nsContainer's cn
> >> attribute is semantically not meant to contain secrets we want to hide.
> >>
> >> So instead of adding 61 ipaPublicContainer everywhere I would just allow
> >> reading nsContainers (cn+objectclass) anonymously + have ipaPrivateContainer
> >> available in case we need it (I am not aware of any such case though).
> > 
> > Yeah sorry, I replied in order.
> > 
> > I agree with your proposal of allowing (objectclass=nsContainer) and a
> > targetfilter that simply excludes the cn=etc subtree.
> > 
> > Simo.
> 
> Ok. I just wonder if we really need the ipaPrivateContainer ACI exception. We
> may want to wait with such objectclass unless it is really needed. For now, it
> did not seem to me that there is any entry where it is needed.

I would hold on as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list