[Freeipa-users] Providing minimal permissions to read replication status

Thu Aug 1 15:12:50 UTC 2013

On 1 August 2013 15:55, Rob Crittenden <rcritten at redhat.com> wrote:

> James Hogarth wrote:
>
>>
>>
>>
>> On 1 August 2013 09:36, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>>
>>     The patch for this would do basically this:
>>     - remove the following aci:
>>     (targetattr != aci)(version 3.0; aci "replica admins read access";
>>     allow (read,
>>     search, compare) groupdn = "ldap:///cn=Modify Replication
>>     Agreements,cn=permissions,cn=**pbac,$SUFFIX";)
>>     ... from installer and from LDAP as it is too general
>>     - add new permission ACI like this:
>>     (targetattr=*)(targetfilter="(**|(objectclass=nsds5Replica)(**
>> objectclass=**nsds5replicationagreement)(**objectclass=**
>> nsDSWindowsReplicationAgreemen**t)(objectClass=nsMappingTree))**
>> ")(version
>>     3.0; acl "permission:Read Replication Agreements"; allow (read,
>> search,
>>     compare) groupdn = "ldap:///cn=Read Replication
>>     Agreements,cn=permissions,cn=**pbac,$SUFFIX";)
>>     - make sure that "Replication Administrators" privilege has it
>> assigned.
>>
>>     I created an upstream ticket to track this effort:
>>     https://fedorahosted.org/**freeipa/ticket/3829<https://fedorahosted.org/freeipa/ticket/3829>
>>
>>
>> Reading the upstream documentation I'm wondering if it'd be sensible to
>> include an additional ACI in replica-acis.ldif of:
>> dn: $SUFFIX
>> changetype: modify
>> add: aci
>> aci: (targetattr=dn nsDS5ReplConflict
>> nsUniqureID)(targetfilter="(|(**objectclass=nsTombstone)(**
>> nsDS5ReplConflict=*))")((**version
>> 3.0; aci "conflict read access"; allow (read, search, compare) groupdn =
>> "ldap:///cn=Read Replication Agreements,cn=permissions,cn=**
>> pbac,$SUFFIX";)
>>
>>  From the upstream documentation here:
>> https://access.redhat.com/**site/documentation/en-US/Red_**
>> Hat_Directory_Server/9.0/html-**single/Configuration_Command_**
>> and_File_Reference/index.html#**Replication_Attributes_under_**
>> cnreplica_cnsuffixName_**cnmapping_tree_cnconfig<https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig>
>>
>> This would allow a user with Read Replication Agreements permission to
>> be able to search for conflicts or tombstone records which would seem
>> sane from a monitoring point of view...
>>
>> What do you think?
>>
>
> I think this would be a separate issue. Being able to find the conflicting
> issues leads directly to the question "what do I do with them?" That is
> ticket https://fedorahosted.org/**freeipa/ticket/1025<https://fedorahosted.org/freeipa/ticket/1025>
>
>
Thanks Rob - I think it worthwhile adding the permissions in place to at
least find them as a 'quick win' as it were ...

What to do after that is an interesting question and would probably take a
fair chuck of work to make it nicely visible plus show ways to resolve it.

>
>  Also just to confirm the only thing I need to do with ACIs like this is
>> to update the ldif (delegation.ldif and replica-acis.ldif) with the new
>> role/privilege/permission and acis in install/share for the new installs
>> and add an appropriate entry (not quite ldif) in install/updates to
>> update the default schema of those updating in future, given no new
>> attributes - right?
>>
>
> You'll need to create a .update file in install/updates to modify an
> existing installation.
>
>
That's great - I had a look through the README in there and looking at
other similar bits appears to be fairly simple.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130801/32b7e7f4/attachment.htm>