[Freeipa-devel] Search Base issues

[Alexander Bokovoy]

Switching to freeipa-devel@ since it is an important issue.

On Tue, 02 Sep 2014, Rob Crittenden wrote:
>Chris Whittle wrote:
>> If I do this
>>
>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>
>> It works fine
>
>AFAICT there currently isn't a permission for the compat tree. The admin
>user can do it via 'Admin can manage any entry" and of course DM can do
>it because it can do anything.
>
>A temporary workaround would be to add an aci manually:
>
>dn: dc=example,dc=com
>changetype: modify
>add: aci
>aci: (targetattr = "*")(target =
>"ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl
>"Read canlogin compat tree";allow (compare,read,search) userdn =
>"ldap:///all";)
>
>This won't show up as a permission and will grant all authenticated
>users read access to the canlogin compat tree. I'm assuming here this
>contains entries keyed on uid.
We have several use-cases for compat tree and I wonder what to do with
completely unauthenticated case? Do we still want to support that?

Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure. 
-- 
/ Alexander Bokovoy