[Freeipa-devel] [PATCHES] 0532-0533 Extend anonymous read ACI for containers

Simo Sorce ssorce at redhat.com
Fri Apr 18 14:07:08 UTC 2014


On Fri, 2014-04-18 at 15:49 +0200, Martin Kosek wrote:
> On 04/18/2014 03:43 PM, Simo Sorce wrote:
> > On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote:
> >> This extends the "Anonymous read access to containers" ACI to cover 
> >> cn=etc, as discussed in [0].
> >>
> >> A new objectClass is added so we can exclude virtual ops with 
> >> targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23).
> >>
> >>
> >> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html
> >>
> > 
> > LGTM
> > 
> 
> It works perfectly except one subtree we missed during initial review and which
> we should discuss:
> 
> cn=replicas,cn=ipa,cn=etc,SUFFIX
> 
> It contains list of replicas (not FreeIPA masters) connected to FreeIPA.
> Currently, this only affects Winsync replicas.
> 
> I just verified that anonymous user can retrieve list of connected ADs via
> winsync. Question is, how to prevent it given that this is created dynamically
> also by older FreeIPA server and given that it has no special objectsclass to
> base a filtration on.
> 
> Maybe we would need to add a deny ACI in this case after all?

Or we can add an objectclass here too, the update script will then need
to look at existing objects dynamically and update them.

However we could also ass a deny aci only in this subtree for now and
change it later, if we think that's too much work.

We have plans to revisit shared replica information storage anyway, so
perhaps it is not worth spending too much time on this now.

Simo.





More information about the Freeipa-devel mailing list