[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 5 09:12:41 UTC 2014
On Fri, 05 Sep 2014, Martin Kosek wrote:
>On 09/04/2014 04:44 PM, Ludwig Krispenz wrote:
>>
>> On 09/04/2014 04:38 PM, Martin Kosek wrote:
>>> On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
>>> ...
>>>>>> createTimestamp is operational attribute and is synthesized by
>>>>>> slapi-nis, there is no problem allowing access to it. I think we can
>>>>>> allow following operational attributes:
>>>>>>
>>>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>>>>> entryDN, hasSubordinates, numSubordinates
>>>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>>>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
>>>>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>>>>
>>>>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>>>>> consider that a public information or juts audit-like information for DM only?
>>>> They are standard features of LDAP servers. RFC 4512 states:
>>>> =============================================================================
>>>> 3.4 Operational attributes
>>>> ...
>>>> Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
>>>> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the
>>>> DIT.
>>>> =============================================================================
>>>>
>>>> This is, again, a question of policy. Active Directory forbids anonymous
>>>> access to the tree; so they always expose these attributes to
>>>> authenticated users only. If we allow anonymous access, we should allow
>>>> these attributes too.
>>> Well, DS *does* maintain the attributes - question is whether we want to show
>>> them to anonymous/authenticated people or just the DM :)
>> if you want to show them depends if it is useful or sensitive.
>> I don't know why an anonymous user would need access to them.
>> Are they sensitive ? Well, at least they expose a DN which has rights to
>> create and modify entries and could be used trying to get more access
>
>Alexander, should we then show just
>+ 'createtimestamp', 'modifytimestamp', 'entryusn',
>to authenticated users? I do not think that modifiers/creatorsDN is something
>that anonymous user need to see by default.
createtimestamp, modifytimestamp, and entryusn are all needed for sssd
LDAP provider. Not allowing them for anonymous will make legacy SSSD
performance suboptimal.
modifier/creator DNs can be given out only to authenticated users.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list