[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions
Martin Kosek
mkosek at redhat.com
Fri Sep 12 15:02:37 UTC 2014
On 09/12/2014 04:46 PM, Petr Viktorin wrote:
> On 09/12/2014 04:25 PM, Martin Kosek wrote:
>> On 09/12/2014 01:53 PM, Petr Viktorin wrote:
>>> https://fedorahosted.org/freeipa/ticket/4534
>>>
>>> The entryusn and timestamp operational attributes are now
>>> automatically added
>>> to every read permission that targets objectclass, whether managed or
>>> user-created.
>>>
>>> The 'System: Read Timestamp and USN Operational Attributes', which was
>>> added
>>> for 4.0.2, is removed on upgrade.
>>>
>>>
>>
>> This looks good to me. deref search now return expected results:
>>
>> # ldapsearch -h `hostname` -Y GSSAPI -b
>> uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
>> 'deref=memberof:objectclass,entryusn'
>> SASL/GSSAPI authentication started
>> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with
>> scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> # with dereference control
>> #
>>
>> # admin, users, accounts, mkosek-fedora20.test
>> dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
>> control: 1.3.6.1.4.1.4203.666.5.16 false ...
>> # memberof:
>> <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
>> oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
>> roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
>> =test
>>
>> # memberof:
>> <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
>> es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
>> rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
>>
>> objectClass: top
>> objectClass: person
>> ...
>>
>>
>> I.e. only the memberof objects that the host has access to are
>> dereferenced. Updated permissions also look OK.
>>
>> Thus ACK from me of there are no other objections.
>>
>> What should we do about remaining Operational permission?
>>
>> --------------------
>> 1 permission matched
>> --------------------
>> Permission name: System: Read Creator and Modifier Operational
>> Attributes
>> Granted rights: read, compare, search
>> Effective attributes: creatorsname, modifiersname
>> Default attributes: modifiersname, creatorsname
>> Bind rule type: all
>> Subtree: dc=mkosek-fedora20,dc=test
>> Extra target filter: (objectclass=*)
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>> ? Any host can still use deref to for example find creatorsname or
>> modifiersname of memberof entries.
>>
>> I would personally rather delete the permission and keep the attributes
>> only for DM (and admin) or make it permission-based as SSSD does not use
>> it anyway, AFAIK.
>>
>> Martin
>
> This version removes 'System: Read Creator and Modifier Operational Attributes'
> as well.
>
Works fine. ACK.
(You will need to regenerate ACI.txt for each merged branch as there are
conflicts).
Thanks!
Martin
More information about the Freeipa-devel
mailing list