[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions
Martin Kosek
mkosek at redhat.com
Fri Sep 12 14:25:08 UTC 2014
On 09/12/2014 01:53 PM, Petr Viktorin wrote:
> https://fedorahosted.org/freeipa/ticket/4534
>
> The entryusn and timestamp operational attributes are now automatically added
> to every read permission that targets objectclass, whether managed or
> user-created.
>
> The 'System: Read Timestamp and USN Operational Attributes', which was added
> for 4.0.2, is removed on upgrade.
>
>
This looks good to me. deref search now return expected results:
# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#
# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof: <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
=test
# memberof: <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
objectClass: top
objectClass: person
...
I.e. only the memberof objects that the host has access to are dereferenced.
Updated permissions also look OK.
Thus ACK from me of there are no other objections.
What should we do about remaining Operational permission?
--------------------
1 permission matched
--------------------
Permission name: System: Read Creator and Modifier Operational Attributes
Granted rights: read, compare, search
Effective attributes: creatorsname, modifiersname
Default attributes: modifiersname, creatorsname
Bind rule type: all
Subtree: dc=mkosek-fedora20,dc=test
Extra target filter: (objectclass=*)
----------------------------
Number of entries returned 1
----------------------------
? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.
I would personally rather delete the permission and keep the attributes only
for DM (and admin) or make it permission-based as SSSD does not use it anyway,
AFAIK.
Martin
More information about the Freeipa-devel
mailing list