[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 5 07:03:41 UTC 2014
On Fri, 05 Sep 2014, Alexander Bokovoy wrote:
> On Thu, 04 Sep 2014, Martin Kosek wrote:
>> On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
>>> On Wed, 03 Sep 2014, Martin Kosek wrote:
>>>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>>>> Hello,
>>>>>>> This adds managed read permissions to the compat tree.
>>>>>>>
>>>>>>> For users it grants anonymous access; authenticated users can read
>>>>>>> groups, hosts and netgroups.
>>>>>>>
>>>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>>>> Membership" is only granted to authenticated users by default, and the
>>>>>>> compat tree exposes memberuid.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>>>
>>>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>>>
>>>>>>
>>>>>
>>>>> Fixed patch attached.
>>>>>
>>>>
>>>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>>>> see if there are no reservations from Alexander or Rob.
>>> I think we need a bit more fixes. Here is ACL log for an anonymous
>>> request:
>>>
>>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
>>> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>>> Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>>> matched the subject by aci(27): aciname="permission:System: Read DNS
>>> Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
>>> aci matched the subject by aci(27): aciname="permission:System: Read DNS
>>> Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>> anonymous: no aci matched the subject by aci(27): aciname=
>>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
>>> anonymous: no aci matched the subject by aci(27): aciname=
>>> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
>>> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
>>> matched the subject by aci(27): aciname="permission:System: Read DNS
>>> Configuration", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>>> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
>>> by aci(38): aciname= "permission:System: Read User
>>> Compat Tree", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>>> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>>> cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>>> cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
>>> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
>>> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can manage
>>> any entry", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
>>> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
>>> Tree", acidn="dc=ipacloud,dc=test"
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
>>> anonymous: cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
>>> cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
>>> anonymous: cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
>>> anonymous: cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
>>> anonymous: cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
>>> anonymous: cached allow by aci(38)
>>> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
>>> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
>>> cached allow by aci(38)
>>>
>>> createTimestamp is operational attribute and is synthesized by
>>> slapi-nis, there is no problem allowing access to it. I think we can
>>> allow following operational attributes:
>>>
>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>> entryDN, hasSubordinates, numSubordinates
>>
>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>
>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>> consider that a public information or juts audit-like information for DM only?
>>
>>> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
>>> run ipa-adtrust-install on this machine yet.
>>
>> I do not think that this attribute is written to cn=compat (did not see it in
>> config) - is it?
>>
>>>
>>> The same set should be allowed for primary tree.
>>>
>>
>> IMO this should be just one global permission/ACI, set for DIT root.
>
> I experimented a bit, by setting SSSD with a simple LDAP provider
> talking to a compat tree (with views enabled, but that doesn't change
> anything) and I think we need to move to ipabindpermruletype=anonymous
> or otherwise such setup will not work at all. Attached is my take at it
> on top of Petr's patchset.
>
> You can ignore views-related ACIs for time being.
Scratch that, it was older version with duplicate entries.
Proper one is attached.
--
/ Alexander Bokovoy
-------------- next part --------------
diff --git a/ACI.txt b/ACI.txt
index 6a4e646..44e516c 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -51,9 +51,11 @@ aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipause
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || memberuid || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || gidnumber || memberuid || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || gidnumber || memberuid || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -99,7 +101,7 @@ aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(versi
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || macaddress || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || macaddress || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
@@ -131,7 +133,7 @@ aci: (targetattr = "externalhost || member || memberhost || memberuser")(targetf
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetattr = "description")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroups";allow (write) groupdn = "ldap:///cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || membernisnetgroup || nisnetgrouptriple || objectclass")(target = "ldap:///cn=ng,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Netgroup Compat Tree";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || membernisnetgroup || nisnetgrouptriple || objectclass")(target = "ldap:///cn=ng,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Netgroup Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ng,cn=alt,dc=ipa,dc=example
@@ -219,7 +221,7 @@ aci: (targetattr = "cmdcategory || description || externalhost || externaluser |
dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
dn: dc=ipa,dc=example
-aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=trusts,dc=ipa,dc=example
aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=trusts,dc=ipa,dc=example
@@ -250,6 +252,8 @@ dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || gecos || gidnumber || homedirectory || loginshell || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -276,6 +280,8 @@ dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || creatorsname || entryusn || modifiersname || modifytimestamp")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Operational Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=config
aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=replication,cn=etc,dc=ipa,dc=example
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index a4340bb..620bb11 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -204,12 +204,22 @@ class group(LDAPObject):
},
'System: Read Group Compat Tree': {
'non_object': True,
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
- 'objectclass', 'cn', 'memberuid',
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
+ },
+ },
+ 'System: Read Group Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('cn=groups', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'cn', 'memberuid', 'gidnumber',
},
},
}
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 5301c1a..3f5e4e7 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -370,7 +370,7 @@ class host(LDAPObject):
},
'System: Read Host Compat Tree': {
'non_object': True,
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=computers', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 4254526..da2808f 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -162,7 +162,7 @@ class netgroup(LDAPObject):
},
'System: Read Netgroup Compat Tree': {
'non_object': True,
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=ng', 'cn=compat', api.env.basedn),
'ipapermright': {'read', 'search', 'compare'},
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index d2d30a1..f16d275 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -166,7 +166,7 @@ class sudorule(LDAPObject):
'non_object': True,
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('ou=sudoers', api.env.basedn),
- 'ipapermbindruletype': 'all',
+ 'ipapermbindruletype': 'anonymous',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'cn', 'ou',
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f95b4fd..e206289 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -435,6 +435,17 @@ class user(LDAPObject):
'homedirectory', 'loginshell',
},
},
+ 'System: Read User Views Compat Tree': {
+ 'non_object': True,
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtarget': DN('cn=users', 'cn=*', 'cn=views', 'cn=compat', api.env.basedn),
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
+ 'homedirectory', 'loginshell',
+ },
+ },
}
label = _('Users')
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 2051bd4..d2b7dea 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -96,6 +96,17 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
register = Registry()
NONOBJECT_PERMISSIONS = {
+ 'System: Read Operational Attributes': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermlocation': api.env.basedn,
+ 'ipapermtargetfilter': {'(objectclass=*)'},
+ 'ipapermbindruletype': 'anonymous',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'createtimestamp', 'modifytimestamp',
+ 'creatorsname', 'modifiersname', 'entryusn',
+ },
+ },
'System: Read IPA Masters': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
More information about the Freeipa-devel
mailing list