[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Simo Sorce
ssorce at redhat.com
Thu Sep 4 15:12:03 UTC 2014
On Thu, 2014-09-04 at 18:10 +0300, Alexander Bokovoy wrote:
> On Thu, 04 Sep 2014, Simo Sorce wrote:
> >On Thu, 2014-09-04 at 15:55 +0200, Martin Kosek wrote:
> >> On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
> >> > On Wed, 03 Sep 2014, Martin Kosek wrote:
> >> >> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
> >> >>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
> >> >>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
> >> >>>>> Hello,
> >> >>>>> This adds managed read permissions to the compat tree.
> >> >>>>>
> >> >>>>> For users it grants anonymous access; authenticated users can read
> >> >>>>> groups, hosts and netgroups.
> >> >>>>>
> >> >>>>> I'm unsure if this is what we want to do for groups, but "Read Group
> >> >>>>> Membership" is only granted to authenticated users by default, and the
> >> >>>>> compat tree exposes memberuid.
> >> >>>>>
> >> >>>>> https://fedorahosted.org/freeipa/ticket/4521
> >> >>>>
> >> >>>> Self-NACK, there's a typo (though I could swear I tested this :/)
> >> >>>>
> >> >>>>
> >> >>>
> >> >>> Fixed patch attached.
> >> >>>
> >> >>
> >> >> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
> >> >> see if there are no reservations from Alexander or Rob.
> >> > I think we need a bit more fixes. Here is ACL log for an anonymous
> >> > request:
> >> >
> >> > [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
> >> > "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
> >> > aci matched the subject by aci(27): aciname="permission:System: Read DNS
> >> > Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> >> > matched the subject by aci(27): aciname="permission:System: Read DNS
> >> > Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
> >> > aci matched the subject by aci(27): aciname="permission:System: Read DNS
> >> > Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> >> > anonymous: no aci matched the subject by aci(27): aciname=
> >> > "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> >> > anonymous: no aci matched the subject by aci(27): aciname=
> >> > "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> >> > entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> >> > matched the subject by aci(27): aciname="permission:System: Read DNS
> >> > Configuration", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> >> > entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
> >> > by aci(38): aciname= "permission:System: Read User
> >> > Compat Tree", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> >> > entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> >> > cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> >> > cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
> >> > uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
> >> > to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
> >> > any entry", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
> >> > anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
> >> > Tree", acidn="dc=ipacloud,dc=test"
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
> >> > anonymous: cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
> >> > cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
> >> > anonymous: cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
> >> > anonymous: cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
> >> > anonymous: cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
> >> > anonymous: cached allow by aci(38)
> >> > [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> >> > entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> >> > cached allow by aci(38)
> >> >
> >> > createTimestamp is operational attribute and is synthesized by
> >> > slapi-nis, there is no problem allowing access to it. I think we can
> >> > allow following operational attributes:
> >> >
> >> > createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
> >> > entryDN, hasSubordinates, numSubordinates
> >>
> >> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
> >> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
> >> for whole FreeIPA DIT. So this change is not so related to these patches.
> >
> >Indeed entryUSN should always be allowed, at least to authenticated
> >users.
> >
> >> Do we also want to expose attributes like creatorsName/modifiersName? Do we
> >> consider that a public information or juts audit-like information for DM only?
> >
> >Are you asking just for the compat tree or in general ?
> >
> >> > Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
> >> > run ipa-adtrust-install on this machine yet.
> >>
> >> I do not think that this attribute is written to cn=compat (did not see it in
> >> config) - is it?
> >
> >No, and shouldn't
> Simo, so are you telling that we shouldn't return SIDs at all, even for
> AD users we show in the compat tree? We currently return it for all
> users and configure additional rule in the cn=users,cn=compat set within
> the slapi-nis plugin if we are serving AD users to compat tree:
>
> if (ret.check_nsswitch != SCH_NSSWITCH_NONE) {
> backend_shr_add_strlist(&ret.attribute_format, "objectClass=%ifeq(\"%{ipaNTSecurityIdentifier}\",\"\",\"\",\"extensibleObject\")");
> backend_shr_add_strlist(&ret.attribute_format, "ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}");
> }
The compat tree was originally built as a way to show only Posix
attributes to legacy clients.
So unless there is a very good reason I tend to think no other
attributes should be exposed through it by default.
Simo.
More information about the Freeipa-devel
mailing list