[Freeipa-users] Providing minimal permissions to read replication status
James Hogarth
james.hogarth at gmail.com
Thu Aug 1 15:12:50 UTC 2013
On 1 August 2013 15:55, Rob Crittenden <rcritten at redhat.com> wrote:
> James Hogarth wrote:
>
>>
>>
>>
>> On 1 August 2013 09:36, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>>
>> The patch for this would do basically this:
>> - remove the following aci:
>> (targetattr != aci)(version 3.0; aci "replica admins read access";
>> allow (read,
>> search, compare) groupdn = "ldap:///cn=Modify Replication
>> Agreements,cn=permissions,cn=**pbac,$SUFFIX";)
>> ... from installer and from LDAP as it is too general
>> - add new permission ACI like this:
>> (targetattr=*)(targetfilter="(**|(objectclass=nsds5Replica)(**
>> objectclass=**nsds5replicationagreement)(**objectclass=**
>> nsDSWindowsReplicationAgreemen**t)(objectClass=nsMappingTree))**
>> ")(version
>> 3.0; acl "permission:Read Replication Agreements"; allow (read,
>> search,
>> compare) groupdn = "ldap:///cn=Read Replication
>> Agreements,cn=permissions,cn=**pbac,$SUFFIX";)
>> - make sure that "Replication Administrators" privilege has it
>> assigned.
>>
>> I created an upstream ticket to track this effort:
>> https://fedorahosted.org/**freeipa/ticket/3829<https://fedorahosted.org/freeipa/ticket/3829>
>>
>>
>> Reading the upstream documentation I'm wondering if it'd be sensible to
>> include an additional ACI in replica-acis.ldif of:
>> dn: $SUFFIX
>> changetype: modify
>> add: aci
>> aci: (targetattr=dn nsDS5ReplConflict
>> nsUniqureID)(targetfilter="(|(**objectclass=nsTombstone)(**
>> nsDS5ReplConflict=*))")((**version
>> 3.0; aci "conflict read access"; allow (read, search, compare) groupdn =
>> "ldap:///cn=Read Replication Agreements,cn=permissions,cn=**
>> pbac,$SUFFIX";)
>>
>> From the upstream documentation here:
>> https://access.redhat.com/**site/documentation/en-US/Red_**
>> Hat_Directory_Server/9.0/html-**single/Configuration_Command_**
>> and_File_Reference/index.html#**Replication_Attributes_under_**
>> cnreplica_cnsuffixName_**cnmapping_tree_cnconfig<https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig>
>>
>> This would allow a user with Read Replication Agreements permission to
>> be able to search for conflicts or tombstone records which would seem
>> sane from a monitoring point of view...
>>
>> What do you think?
>>
>
> I think this would be a separate issue. Being able to find the conflicting
> issues leads directly to the question "what do I do with them?" That is
> ticket https://fedorahosted.org/**freeipa/ticket/1025<https://fedorahosted.org/freeipa/ticket/1025>
>
>
Thanks Rob - I think it worthwhile adding the permissions in place to at
least find them as a 'quick win' as it were ...
What to do after that is an interesting question and would probably take a
fair chuck of work to make it nicely visible plus show ways to resolve it.
>
> Also just to confirm the only thing I need to do with ACIs like this is
>> to update the ldif (delegation.ldif and replica-acis.ldif) with the new
>> role/privilege/permission and acis in install/share for the new installs
>> and add an appropriate entry (not quite ldif) in install/updates to
>> update the default schema of those updating in future, given no new
>> attributes - right?
>>
>
> You'll need to create a .update file in install/updates to modify an
> existing installation.
>
>
That's great - I had a look through the README in there and looking at
other similar bits appears to be fairly simple.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130801/32b7e7f4/attachment.htm>
More information about the Freeipa-users
mailing list