[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Martin Kosek mkosek at redhat.com
Fri Sep 19 13:55:15 UTC 2014 

On 09/18/2014 09:42 PM, Martin Kosek wrote:
> On 09/18/2014 09:11 PM, Simo Sorce wrote:
>> On Thu, 18 Sep 2014 14:57:45 -0400
>> Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> Martin Kosek wrote:
>>>> On 09/18/2014 04:06 PM, David Kupka wrote:
>>>>> On 09/18/2014 03:44 PM, Rob Crittenden wrote:
>>>>>> David Kupka wrote:
>>>>>>> https://fedorahosted.org/freeipa/ticket/4421
>>>>>>
>>>>>> You are removing an ACI in this patch. It is always possible it
>>>>>> is no longer needed. Did you test all the client enrollment
>>>>>> scenarios?
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
>>>>> it is possible to add krbPrincipalName to host even when there is
>>>>> already one (or more). And adding one ACI to allow writing
>>>>> krbCanonicalName to host. But I'm still not really familiar with
>>>>> ACI so please correct me if I'm wrong.
>>>>>
>>>>
>>>> What refers to is probably the update in ACI.txt - the ACI
>>>> alternative to API.txt. David updated an ACI, not removed it.
>>>>
>>>> On that note, what is the reason for this permission change:
>>>>
>>>> -            'ipapermtargetfilter': [
>>>> -                '(objectclass=ipahost)',
>>>> -                '(!(krbprincipalname=*))',
>>>> -            ],
>>>>
>>>> ?
>>>
>>> Yes, this is exactly the change I was referring to. Permission changes
>>> within a plugin now translate automatically to ACI changes. Sorry I
>>> wasn't clearer.
>>>
>>> This ACI gets replaced with a much simpler one and I'm not 100% sure
>>> it will work with all enrollments:
>>>
>>> -aci: (targetattr = "krbprincipalname")(targetfilter =
>>> "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl
>>> "permission:System: Add krbPrincipalName to a Host";allow (write)
>>> groupdn = "ldap:///cn=System: Add krbPrincipalName to a
>>> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>
>>> +aci: (targetattr = "krbprincipalname")(targetfilter =
>>> "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add
>>> krbPrincipalName to a Host";allow (write) groupdn =
>>> "ldap:///cn=System: Add krbPrincipalName to a
>>> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
>>>
>>> The first one restricts writing the attribute only if it isn't already
>>> set. The second lets it be changed unconditionally.
>>
>> Yeah this is wrong indeed, the point of the ACI is to allow setting the
>> principal only when it is not already set, which is the OTP enrollment
>> case. But if krbprincipal is set then this specific permission should
>> not grant rights to change it.
>>
>> At least this was my understanding.
>>
>> Simo.
>
> Right. It seems to me we should add keep this permission intact and add a new
> permission allowing adding krbPrincipalName aliases. This would allow writing
> both krbPrincipalName and krbCanonicalName.
>
> Martin

Simo, Rob - are you OK with this approach? I.e. having a new permission just 
for allowing adding aliases and not touching the enrollment-related permission?

I would assign that new permission to Host Administrators privilege by default.

Martin

More information about the Freeipa-devel mailing list