[Freeipa-devel] [PATCHES] 0521-0522 - Add managed read permissions to krbtpolicy & Allow anonymous read access to Kerberos realm container name

Simo Sorce ssorce at redhat.com
Tue Apr 15 13:16:13 UTC 2014


On Tue, 2014-04-15 at 13:13 +0200, Petr Viktorin wrote:
> On 04/15/2014 09:43 AM, Martin Kosek wrote:
> > On 04/15/2014 09:38 AM, Martin Kosek wrote:
> >> On 04/14/2014 07:18 PM, Simo Sorce wrote:
> >>> On Mon, 2014-04-14 at 18:54 +0200, Petr Viktorin wrote:
> >>>> Hello,
> >>>>
> >>>> The first patch adds default read permissions to krbtpolicy. Since the
> >>>> plugin manages entries in two trees, there are two permissions. Since
> >>>> two permissions are needed to cover krbtpolicy, it can't be used as a
> >>>> permission's --type.
> >>>> The permissions are added to a new privilege, 'Kerberos Ticket Policy
> >>>> Readers'.
> >>>>
> >>>> The second patch adds an ACI for reading the Kerberos realm name. Since
> >>>> client enrollment won't work without this, I don't see a reason for
> >>>> having it managed by a permission.
> >>>>
> >>>
> >>> LGTM
> >>>
> >>> Simo.
> >>>
> >>
> >> 521 breaks a unit test:
> >>
> >> ======================================================================
> >> FAIL: test_permission[37]: permission_find: Search for u'Testperm_RN' using
> >> --subtree
> >> ----------------------------------------------------------------------
> >> Traceback (most recent call last):
> >>    File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
> >>      self.test(*self.arg)
> >>    File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 301, in
> >> <lambda>
> >>      func = lambda: self.check(nice, **test)
> >>    File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 319, in
> >> check
> >>      self.check_output(nice, cmd, args, options, expected, extra_check)
> >>    File "/root/freeipa-master/ipatests/test_xmlrpc/xmlrpc_test.py", line 359, in
> >> check_output
> >>      assert_deepequal(expected, got, nice)
> >>    File "/root/freeipa-master/ipatests/util.py", line 344, in assert_deepequal
> >>      assert_deepequal(e_sub, g_sub, doc, stack + (key,))
> >>    File "/root/freeipa-master/ipatests/util.py", line 352, in assert_deepequal
> >>      VALUE % (doc, expected, got, stack)
> >> AssertionError: assert_deepequal: expected != got.
> >>    test_permission[37]: permission_find: Search for u'Testperm_RN' using --subtree
> >>    expected = 1
> >>    got = 2
> >>    path = ('count',)
> 
> Thanks for the catch, tests updated.
> 
> >> Otherwise it works fine (krbtpolicy-show for user cannot be tested yet as we
> >> miss permissions for users).
> 
> Right; I don't think this permission by itself should allow access to 
> users. Correct me if that's wrong.
> 
> I created a users permission for testing:
>     ipa permission-add 'allow reading user objectclass' --type user 
> --right={read,search,compare} --attrs objectclass --bind all
> 
> > /me hit Send too soon.
> >
> > Although 522 works functionally and client now discovers the IPA server, there
> > is no path from SUFFIX to cn=REALM for anonymous users.
> >
> > I would personally change the ACI to
> >
> > (targetattr = "cn || objectclass")(targetfilter =
> > "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl
> > "Anonymous read access to Kerberos container";allow (read,compare,search)
> > userdn = "ldap:///anyone";)'
> >
> > and put it to cn=kerberos,$SUFFIX (which is of krbcontainer objectclass).
> 
> Right, that's necessary for UIs to list the container.
> Simo, are you okay with this?

It is no secret that an IPA server has a container named after the
domain. And the REALM name is available unauthenticated from DNS, so
knowledge of it's existence is given.
Therefore I see no problem if anonymous can see the container exists, as
long as no contents (beyond what we already determined need to be) are
revealed I see no problem.

Simo.





More information about the Freeipa-devel mailing list