[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test

Simo Sorce simo at redhat.com
Fri Sep 19 14:09:12 UTC 2014 

On Fri, 19 Sep 2014 15:55:15 +0200
Martin Kosek <mkosek at redhat.com> wrote:

> On 09/18/2014 09:42 PM, Martin Kosek wrote:
> > On 09/18/2014 09:11 PM, Simo Sorce wrote:
> >> On Thu, 18 Sep 2014 14:57:45 -0400
> >> Rob Crittenden <rcritten at redhat.com> wrote:
> >>
> >>> Martin Kosek wrote:
> >>>> On 09/18/2014 04:06 PM, David Kupka wrote:
> >>>>> On 09/18/2014 03:44 PM, Rob Crittenden wrote:
> >>>>>> David Kupka wrote:
> >>>>>>> https://fedorahosted.org/freeipa/ticket/4421
> >>>>>>
> >>>>>> You are removing an ACI in this patch. It is always possible it
> >>>>>> is no longer needed. Did you test all the client enrollment
> >>>>>> scenarios?
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>
> >>>>> As far as I'm aware I'm not removing any ACI. I'm modifying ACI
> >>>>> so it is possible to add krbPrincipalName to host even when
> >>>>> there is already one (or more). And adding one ACI to allow
> >>>>> writing krbCanonicalName to host. But I'm still not really
> >>>>> familiar with ACI so please correct me if I'm wrong.
> >>>>>
> >>>>
> >>>> What refers to is probably the update in ACI.txt - the ACI
> >>>> alternative to API.txt. David updated an ACI, not removed it.
> >>>>
> >>>> On that note, what is the reason for this permission change:
> >>>>
> >>>> -            'ipapermtargetfilter': [
> >>>> -                '(objectclass=ipahost)',
> >>>> -                '(!(krbprincipalname=*))',
> >>>> -            ],
> >>>>
> >>>> ?
> >>>
> >>> Yes, this is exactly the change I was referring to. Permission
> >>> changes within a plugin now translate automatically to ACI
> >>> changes. Sorry I wasn't clearer.
> >>>
> >>> This ACI gets replaced with a much simpler one and I'm not 100%
> >>> sure it will work with all enrollments:
> >>>
> >>> -aci: (targetattr = "krbprincipalname")(targetfilter =
> >>> "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl
> >>> "permission:System: Add krbPrincipalName to a Host";allow (write)
> >>> groupdn = "ldap:///cn=System: Add krbPrincipalName to a
> >>> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
> >>>
> >>> +aci: (targetattr = "krbprincipalname")(targetfilter =
> >>> "(objectclass=ipahost)")(version 3.0;acl "permission:System: Add
> >>> krbPrincipalName to a Host";allow (write) groupdn =
> >>> "ldap:///cn=System: Add krbPrincipalName to a
> >>> Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
> >>>
> >>> The first one restricts writing the attribute only if it isn't
> >>> already set. The second lets it be changed unconditionally.
> >>
> >> Yeah this is wrong indeed, the point of the ACI is to allow
> >> setting the principal only when it is not already set, which is
> >> the OTP enrollment case. But if krbprincipal is set then this
> >> specific permission should not grant rights to change it.
> >>
> >> At least this was my understanding.
> >>
> >> Simo.
> >
> > Right. It seems to me we should add keep this permission intact and
> > add a new permission allowing adding krbPrincipalName aliases. This
> > would allow writing both krbPrincipalName and krbCanonicalName.
> >
> > Martin
> 
> Simo, Rob - are you OK with this approach? I.e. having a new
> permission just for allowing adding aliases and not touching the
> enrollment-related permission?
> 
> I would assign that new permission to Host Administrators privilege
> by default.

Yeah, sounds like that would be better.
Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list