[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions
Petr Viktorin
pviktori at redhat.com
Fri Sep 12 14:46:43 UTC 2014
On 09/12/2014 04:25 PM, Martin Kosek wrote:
> On 09/12/2014 01:53 PM, Petr Viktorin wrote:
>> https://fedorahosted.org/freeipa/ticket/4534
>>
>> The entryusn and timestamp operational attributes are now
>> automatically added
>> to every read permission that targets objectclass, whether managed or
>> user-created.
>>
>> The 'System: Read Timestamp and USN Operational Attributes', which was
>> added
>> for 4.0.2, is removed on upgrade.
>>
>>
>
> This looks good to me. deref search now return expected results:
>
> # ldapsearch -h `hostname` -Y GSSAPI -b
> uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
> 'deref=memberof:objectclass,entryusn'
> SASL/GSSAPI authentication started
> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with
> scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> # with dereference control
> #
>
> # admin, users, accounts, mkosek-fedora20.test
> dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
> control: 1.3.6.1.4.1.4203.666.5.16 false ...
> # memberof:
> <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
> oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
> roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
> =test
>
> # memberof:
> <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
> es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
> rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
>
> objectClass: top
> objectClass: person
> ...
>
>
> I.e. only the memberof objects that the host has access to are
> dereferenced. Updated permissions also look OK.
>
> Thus ACK from me of there are no other objections.
>
> What should we do about remaining Operational permission?
>
> --------------------
> 1 permission matched
> --------------------
> Permission name: System: Read Creator and Modifier Operational
> Attributes
> Granted rights: read, compare, search
> Effective attributes: creatorsname, modifiersname
> Default attributes: modifiersname, creatorsname
> Bind rule type: all
> Subtree: dc=mkosek-fedora20,dc=test
> Extra target filter: (objectclass=*)
> ----------------------------
> Number of entries returned 1
> ----------------------------
> ? Any host can still use deref to for example find creatorsname or
> modifiersname of memberof entries.
>
> I would personally rather delete the permission and keep the attributes
> only for DM (and admin) or make it permission-based as SSSD does not use
> it anyway, AFAIK.
>
> Martin
This version removes 'System: Read Creator and Modifier Operational
Attributes' as well.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0642.2-permission-plugin-Auto-add-operational-atttributes-t.patch
Type: text/x-patch
Size: 61379 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140912/c1653786/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0643.2-Allow-deleting-obsolete-permissions-remove-operation.patch
Type: text/x-patch
Size: 7760 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140912/c1653786/attachment-0001.bin>
More information about the Freeipa-devel
mailing list