[Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions
Petr Viktorin
pviktori at redhat.com
Fri Sep 12 16:24:37 UTC 2014
On 09/12/2014 05:02 PM, Martin Kosek wrote:
> On 09/12/2014 04:46 PM, Petr Viktorin wrote:
>> On 09/12/2014 04:25 PM, Martin Kosek wrote:
>>> On 09/12/2014 01:53 PM, Petr Viktorin wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4534
>>>>
>>>> The entryusn and timestamp operational attributes are now
>>>> automatically added
>>>> to every read permission that targets objectclass, whether managed or
>>>> user-created.
>>>>
>>>> The 'System: Read Timestamp and USN Operational Attributes', which was
>>>> added
>>>> for 4.0.2, is removed on upgrade.
>>>>
>>>>
>>>
>>> This looks good to me. deref search now return expected results:
>>>
>>> # ldapsearch -h `hostname` -Y GSSAPI -b
>>> uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
>>> 'deref=memberof:objectclass,entryusn'
>>> SASL/GSSAPI authentication started
>>> SASL username: host/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with
>>> scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> # with dereference control
>>> #
>>>
>>> # admin, users, accounts, mkosek-fedora20.test
>>> dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
>>> control: 1.3.6.1.4.1.4203.666.5.16 false ...
>>> # memberof:
>>> <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
>>>
>>> oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
>>>
>>>
>>> roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
>>>
>>> =test
>>>
>>> # memberof:
>>> <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
>>>
>>> es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
>>>
>>> rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
>>>
>>> objectClass: top
>>> objectClass: person
>>> ...
>>>
>>>
>>> I.e. only the memberof objects that the host has access to are
>>> dereferenced. Updated permissions also look OK.
>>>
>>> Thus ACK from me of there are no other objections.
>>>
>>> What should we do about remaining Operational permission?
>>>
>>> --------------------
>>> 1 permission matched
>>> --------------------
>>> Permission name: System: Read Creator and Modifier Operational
>>> Attributes
>>> Granted rights: read, compare, search
>>> Effective attributes: creatorsname, modifiersname
>>> Default attributes: modifiersname, creatorsname
>>> Bind rule type: all
>>> Subtree: dc=mkosek-fedora20,dc=test
>>> Extra target filter: (objectclass=*)
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> ? Any host can still use deref to for example find creatorsname or
>>> modifiersname of memberof entries.
>>>
>>> I would personally rather delete the permission and keep the attributes
>>> only for DM (and admin) or make it permission-based as SSSD does not use
>>> it anyway, AFAIK.
>>>
>>> Martin
>>
>> This version removes 'System: Read Creator and Modifier Operational
>> Attributes'
>> as well.
>>
>
> Works fine. ACK.
Thanks! Pushed to:
ipa-4-0: f47da6a761a97134668cf674c78f5f9271c98e8b
ipa-4-1: a0e23ce210506be84716343982ef43099841177b
master: 4fac4f4cf65b54bc0b194928341b31e3c67d63a5
> (You will need to regenerate ACI.txt for each merged branch as there are
> conflicts).
(Yeah, whoever invented this ACI.txt thing, I need to have a talk with him)
--
Petr³
More information about the Freeipa-devel
mailing list