[Freeipa-devel] [PATCH] 0616 Allow read access to services in cn=masters to auth'd users
Petr Viktorin
pviktori at redhat.com
Fri Jul 4 13:55:46 UTC 2014
On 07/04/2014 03:40 PM, Martin Kosek wrote:
> On 07/04/2014 02:49 PM, Petr Viktorin wrote:
>> Hello,
>>
>> The dns-is-enabled command, used by the Web UI to determine if DNS
>> pages should
>> be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in
>> cn=masters.
>> However, currently the service entries are not accessible to all
>> users, so the
>> check will fail for non-admins.
>>
>> We talked about this with Martin and agreed that there's no sensitive
>> information in the service entries.
>> This patch grants read access to all authenticated users.
>>
>> Simo, is this OK?
>>
>
> I think this change is OK. We also only expose the service name, we do
> not expose any additional setting.
>
> Would it make sense though that we instead of creating an ACI for
> cn=masters, we would just update the 'Anonymous read access to
> containers' ACI and remove the
> 'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX"' part?
That would grant *anonymous* access the masters & services. Do we want that?
> Given that this ACI is in the DIT root, I would like to keep it as
> simple as possible for performance reasons.
--
Petr³
More information about the Freeipa-devel
mailing list