[Freeipa-devel] #4534: SSSD deref processing fail when entryusn can be read and objectclass doesn't
Martin Kosek
mkosek at redhat.com
Thu Sep 11 15:03:23 UTC 2014
Hello,
We have another important issue to resolve. Current FreeIPA 4.0.2 ACI settings
cause older SSSD clients to fail as they get returned an LDAP deref call
results without objectclass attribute and just with entryusn attribute. Details
in https://fedorahosted.org/freeipa/ticket/4534. While I agree SSSD should be
more tolerant in this case, it still breaks old clients which we should prevent.
There are 2 ways how to fix I currently see:
1) Return objectclass for any entry, just like we do with operational attributes
This would include adding "objectclass" to "System: Read Timestamp and USN
Operational Attributes". However, I am rather cautious about this approach as
even though objectclass does not usually carry a secret information, we could
still leak some information about our DIT to unprivileged user.
2) Show objectclass+operational attributes in our Read ACIs
Other way I see is to update *all* our Read permissions allowing reading
objectclass attribute and also allow the chosen LDAP operational attribute.
This would let the LDAP caller to always get either all these discussed
attributes but none at all.
Do we want to do this? Any other (better) idea how to approach it?
Thank you.
--
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
More information about the Freeipa-devel
mailing list