[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts
Petr Viktorin
pviktori at redhat.com
Tue Apr 22 11:38:44 UTC 2014
On 04/16/2014 05:56 PM, Simo Sorce wrote:
> On Wed, 2014-04-16 at 18:34 +0300, Alexander Bokovoy wrote:
>> On Wed, 16 Apr 2014, Martin Kosek wrote:
>>>>>>>>>>> In general I am not sure all authenticated users need access to all this
>>>>>>>>>>> info. Alexander ?
>>>>>>>>>> SSSD needs to read some of this information for subdomains support.
>>>>>>>>>> That would be at least host/*@REALM who needs to access it.
>>>>>>>>>
>>>>>>>>> Can you please list exactly which ones are needed ?
>>>>>>>> SSSD subdomains support needs:
>>>>>>>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>>>>>>> - ipaNTFlatName
>>>>>>>> - ipaNTSecurityIdentifier
>>>>>>>> - ipaNTTrustedDomainSID
>>>>>>>> - cn
>>>>>>>
>>>>>>> Question is - is there any added value in hiding part of the
>>>>>>> trust information from authenticated users? I.e. attributes like
>>>>>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>>>>>>> attribute anyway?), SID blacklists...
>>>>>> Yes. Some of those attributes are needed as internal detail of ipasam --
>>>>>> part of how Samba stores this information taken from specific DCE RPC
>>>>>> structures.
>>>>>>
>>>>>>> If yes, we would need to split this permission in 2 and have one for
>>>>>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers".
>>>>>> Yes. Authenticated users shouldn't get any access to those details:
>>>>>> ipantsupportedencryptiontypes
>>>>>> ipanttrustattributes
>>>>>> ipanttrustauthincoming
>>>>>> ipanttrustauthoutgoing
>>>>>>
>>>>>>
>>>>>
>>>>> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
>>>>> then have this permission assigned so that samba can operate the attributes.
>>>> 'adtrust agents' and 'trust administrators' should have read, modify,
>>>> delete, and search on cn=trusts.
>>>>
>>>
>>> Right. We will probably want to turn most of ACIs in
>>> install/updates/60-trusts.update in managed permissions (i.e. defined in
>>> trust.py) and make "adtrust agents" and "trust admins" it's members.
>> I agree.
>>
>
> +1
>
> Simo.
>
All right. Now I'm replacing the global anonymous read ACI; converting
the others will come later. The existing agents/admins ACIs grant the
'read' (or 'all') right already.
ipaIDRange is covered in the range plugin, so what's left for this patch
is the ipaNTTrustedDomain/ipaNTDomainAttrs attributes.
Does that sound reasonable?
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0529.2-Add-managed-read-permissions-to-trust.patch
Type: text/x-patch
Size: 1617 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140422/93dfbbc1/attachment.bin>
More information about the Freeipa-devel
mailing list