[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

[Martin Kosek]

On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
...
>>> createTimestamp is operational attribute and is synthesized by
>>> slapi-nis, there is no problem allowing access to it. I think we can
>>> allow following operational attributes:
>>>
>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>> entryDN, hasSubordinates, numSubordinates
>>
>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>
>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>> consider that a public information or juts audit-like information for DM only?
> They are standard features of LDAP servers. RFC 4512 states:
> =============================================================================
> 3.4 Operational attributes
> ...
> Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the
> DIT.
> =============================================================================
> 
> This is, again, a question of policy. Active Directory forbids anonymous
> access to the tree; so they always expose these attributes to
> authenticated users only. If we allow anonymous access, we should allow
> these attributes too.

Well, DS *does* maintain the attributes - question is whether we want to show
them to anonymous/authenticated people or just the DM :)

> 
> 
>>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>>> run ipa-adtrust-install on this machine yet.
>>
>> I do not think that this attribute is written to cn=compat (did not see it in
>> config) - is it?
> It is written for AD users synthesized with SSSD help. I think the lack
> of it for IPA users is an oversight.

Ok. Petr, you know what to do.

Martin