[Freeipa-devel] Compat tree permissions

Wed Sep 3 08:17:08 UTC 2014

On 09/03/2014 07:55 AM, Alexander Bokovoy wrote:
> Switching to freeipa-devel@ since it is an important issue.
> 
> On Tue, 02 Sep 2014, Rob Crittenden wrote:
>> Chris Whittle wrote:
>>> If I do this
>>>
>>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>>
>>> It works fine
>>
>> AFAICT there currently isn't a permission for the compat tree. The admin
>> user can do it via 'Admin can manage any entry" and of course DM can do
>> it because it can do anything.
>>
>> A temporary workaround would be to add an aci manually:
>>
>> dn: dc=example,dc=com
>> changetype: modify
>> add: aci
>> aci: (targetattr = "*")(target =
>> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl
>> "Read canlogin compat tree";allow (compare,read,search) userdn =
>> "ldap:///all";)
>>
>> This won't show up as a permission and will grant all authenticated
>> users read access to the canlogin compat tree. I'm assuming here this
>> contains entries keyed on uid.
> We have several use-cases for compat tree and I wonder what to do with
> completely unauthenticated case? Do we still want to support that?

Wouldn't hiding the compat tree only to authenticated users limit our Legacy
Client feature? See "ipa-advise config-redhat-nss-ldap", this advise would stop
working after this change, right?

We already show selected subset of attributes to anonymous, I think we should
continue with that:

# ipa permission-show "System: Read User Standard Attributes"
  Permission name: System: Read User Standard Attributes
  Granted rights: read, compare, search
  Effective attributes: cn, description, displayname, gecos, gidnumber,
givenname, homedirectory,
                        initials, ipantsecurityidentifier, loginshell, manager,
objectclass, sn, title,
                        uid, uidnumber
  Default attributes: displayname, description, title, objectclass, loginshell,
ipantsecurityidentifier,
                      uidnumber, gidnumber, initials, manager, gecos, sn,
homedirectory, givenname, cn,
                      uid
  Bind rule type: anonymous
  Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
  Type: user

> Exposing the same data anonymously over compat tree when it is available
> only for authenticated users over primary tree isn't secure.

If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
you would see that we only allow attributes we already expose to anonymous as
in the basic permission. So it is not that bad.

But maybe we should add a new internal "link" between standard and compat tree
permissions and issue a warning when visibility of one is changed...

Regarding missing compat permissions, I would personally add these:

System: Read User Compat Tree
System: Read Group Compat Tree
System: Read Host Compat Tree
System: Read Netgroup Compat Tree

so that they are close to their standard tree alternatives.

Martin