[Freeipa-users] Search Base issues

Rob Crittenden rcritten at redhat.com
Wed Sep 3 13:08:38 UTC 2014 

Martin Kosek wrote:
> On 09/03/2014 09:02 AM, Martin Kosek wrote:
>> In the meantime, you can use the workaround that Rob sent, you would just need
>> to delete it again when the fix is in, so that the permissions do not step on
>> each other.
> 
> Actually, wait a minute. I think Rob's ACI example may be too wide, it may
> expose any attribute in the compat tree, including a potential userPassword.

The ACI was on his custom cn=canlogin subtree, not all of cn=compat.

> As I see, it seems that slapi-nis plugin do not fortunately expose that, but it
> is safer to just list the attributes that one wants to display (this is also
> what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more).
> 
> I added a respective permission via Web UI (one part of it cannot be added via
> CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now
> works for me. See attached example.
> 
> Resulting permission shown in CLI:
> 
> # ipa permission-show "TEMPORARY - Read compat tree"
>   Permission name: TEMPORARY - Read compat tree
>   Granted rights: read, search, compare
>   Effective attributes: cn, description, gecos, gidnumber, homedirectory,
> loginshell, memberuid,
>                         objectclass, uid, uidnumber
>   Bind rule type: all
>   Subtree: dc=mkosek-fedora20,dc=test
>   ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test
> 
> It is much easier to manipulate than ACI added via ldapmodify.

I see you filed a bug on the missing CLI option. That's why I did the
ACI, because I couldn't demonstrate how to add this ACI on the CLI. I
hadn't gotten around to doing that last night.

rob

> 
> HTH,
> Martin
> 
>>
>> Martin
>>
>> On 09/02/2014 11:09 PM, Rob Crittenden wrote:
>>> Chris Whittle wrote:
>>>> If I do this 
>>>>
>>>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>>>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>>>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>>>
>>>> It works fine
>>>
>>> AFAICT there currently isn't a permission for the compat tree. The admin
>>> user can do it via 'Admin can manage any entry" and of course DM can do
>>> it because it can do anything.
>>>
>>> A temporary workaround would be to add an aci manually:
>>>
>>> dn: dc=example,dc=com
>>> changetype: modify
>>> add: aci
>>> aci: (targetattr = "*")(target =
>>> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl
>>> "Read canlogin compat tree";allow (compare,read,search) userdn =
>>> "ldap:///all";)
>>>
>>> This won't show up as a permission and will grant all authenticated
>>> users read access to the canlogin compat tree. I'm assuming here this
>>> contains entries keyed on uid.
>>>
>>> rob
>

More information about the Freeipa-users mailing list