[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Alexander Bokovoy
abokovoy at redhat.com
Thu Sep 4 14:10:27 UTC 2014
On Thu, 04 Sep 2014, Martin Kosek wrote:
>On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
>> On Wed, 03 Sep 2014, Martin Kosek wrote:
>>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>>> Hello,
>>>>>> This adds managed read permissions to the compat tree.
>>>>>>
>>>>>> For users it grants anonymous access; authenticated users can read
>>>>>> groups, hosts and netgroups.
>>>>>>
>>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>>> Membership" is only granted to authenticated users by default, and the
>>>>>> compat tree exposes memberuid.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>>
>>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>>
>>>>>
>>>>
>>>> Fixed patch attached.
>>>>
>>>
>>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>>> see if there are no reservations from Alexander or Rob.
>> I think we need a bit more fixes. Here is ACL log for an anonymous
>> request:
>>
>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
>> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>> matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>> anonymous: no aci matched the subject by aci(27): aciname=
>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>> anonymous: no aci matched the subject by aci(27): aciname=
>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>> matched the subject by aci(27): aciname="permission:System: Read DNS
>> Configuration", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
>> by aci(38): aciname= "permission:System: Read User
>> Compat Tree", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
>> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
>> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
>> any entry", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
>> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
>> Tree", acidn="dc=ipacloud,dc=test"
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
>> cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
>> anonymous: cached allow by aci(38)
>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>> cached allow by aci(38)
>>
>> createTimestamp is operational attribute and is synthesized by
>> slapi-nis, there is no problem allowing access to it. I think we can
>> allow following operational attributes:
>>
>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>> entryDN, hasSubordinates, numSubordinates
>
>Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>for whole FreeIPA DIT. So this change is not so related to these patches.
>
>Do we also want to expose attributes like creatorsName/modifiersName? Do we
>consider that a public information or juts audit-like information for DM only?
They are standard features of LDAP servers. RFC 4512 states:
=============================================================================
3.4 Operational attributes
...
Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' attributes for all entries of the
DIT.
=============================================================================
This is, again, a question of policy. Active Directory forbids anonymous
access to the tree; so they always expose these attributes to
authenticated users only. If we allow anonymous access, we should allow
these attributes too.
>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>> run ipa-adtrust-install on this machine yet.
>
>I do not think that this attribute is written to cn=compat (did not see it in
>config) - is it?
It is written for AD users synthesized with SSSD help. I think the lack
of it for IPA users is an oversight.
>
>>
>> The same set should be allowed for primary tree.
>>
>
>IMO this should be just one global permission/ACI, set for DIT root.
Yes, that would work.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list