[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Alexander Bokovoy abokovoy at redhat.com
Thu Sep 4 12:40:23 UTC 2014 

On Wed, 03 Sep 2014, Martin Kosek wrote:
>On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>> Hello,
>>>> This adds managed read permissions to the compat tree.
>>>>
>>>> For users it grants anonymous access; authenticated users can read
>>>> groups, hosts and netgroups.
>>>>
>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>> Membership" is only granted to authenticated users by default, and the
>>>> compat tree exposes memberuid.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>
>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>
>>>
>>
>> Fixed patch attached.
>>
>
>I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>see if there are no reservations from Alexander or Rob.
I think we need a bit more fixes. Here is ACL log for an anonymous
request:

[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname="permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname="permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname="permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname="permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= "permission:System: Read User
Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage any entry", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38)

createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates

Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.

The same set should be allowed for primary tree.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list