[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Ludwig Krispenz
lkrispen at redhat.com
Thu Sep 4 14:44:04 UTC 2014
On 09/04/2014 04:38 PM, Martin Kosek wrote:
> On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
> ...
>>>> createTimestamp is operational attribute and is synthesized by
>>>> slapi-nis, there is no problem allowing access to it. I think we can
>>>> allow following operational attributes:
>>>>
>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>>> entryDN, hasSubordinates, numSubordinates
>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>>
>>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>>> consider that a public information or juts audit-like information for DM only?
>> They are standard features of LDAP servers. RFC 4512 states:
>> =============================================================================
>> 3.4 Operational attributes
>> ...
>> Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
>> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the
>> DIT.
>> =============================================================================
>>
>> This is, again, a question of policy. Active Directory forbids anonymous
>> access to the tree; so they always expose these attributes to
>> authenticated users only. If we allow anonymous access, we should allow
>> these attributes too.
> Well, DS *does* maintain the attributes - question is whether we want to show
> them to anonymous/authenticated people or just the DM :)
if you want to show them depends if it is useful or sensitive.
I don't know why an anonymous user would need access to them.
Are they sensitive ? Well, at least they expose a DN which has rights to
create and modify entries and could be used trying to get more access
>
>>
>>>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>>>> run ipa-adtrust-install on this machine yet.
>>> I do not think that this attribute is written to cn=compat (did not see it in
>>> config) - is it?
>> It is written for AD users synthesized with SSSD help. I think the lack
>> of it for IPA users is an oversight.
> Ok. Petr, you know what to do.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list