[Freeipa-users] Providing minimal permissions to read replication status
James Hogarth
james.hogarth at gmail.com
Thu Aug 1 13:56:16 UTC 2013
On 1 August 2013 09:36, Martin Kosek <mkosek at redhat.com> wrote:
>
>
> The patch for this would do basically this:
> - remove the following aci:
> (targetattr != aci)(version 3.0; aci "replica admins read access"; allow
> (read,
> search, compare) groupdn = "ldap:///cn=Modify Replication
> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
> ... from installer and from LDAP as it is too general
> - add new permission ACI like this:
>
> (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version
> 3.0; acl "permission:Read Replication Agreements"; allow (read, search,
> compare) groupdn = "ldap:///cn=Read Replication
> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
> - make sure that "Replication Administrators" privilege has it assigned.
>
> I created an upstream ticket to track this effort:
> https://fedorahosted.org/freeipa/ticket/3829
>
>
Reading the upstream documentation I'm wondering if it'd be sensible to
include an additional ACI in replica-acis.ldif of:
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr=dn nsDS5ReplConflict
nsUniqureID)(targetfilter="(|(objectclass=nsTombstone)(nsDS5ReplConflict=*))")((version
3.0; aci "conflict read access"; allow (read, search, compare) groupdn =
"ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>From the upstream documentation here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig
This would allow a user with Read Replication Agreements permission to be
able to search for conflicts or tombstone records which would seem sane
from a monitoring point of view...
What do you think?
Also just to confirm the only thing I need to do with ACIs like this is to
update the ldif (delegation.ldif and replica-acis.ldif) with the new
role/privilege/permission and acis in install/share for the new installs
and add an appropriate entry (not quite ldif) in install/updates to update
the default schema of those updating in future, given no new attributes -
right?
Cheers,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130801/e8eb489f/attachment.htm>
More information about the Freeipa-users
mailing list