[Freeipa-users] Search Base issues

[Martin Kosek]

On 09/03/2014 03:08 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 09/03/2014 09:02 AM, Martin Kosek wrote:
>>> In the meantime, you can use the workaround that Rob sent, you would just need
>>> to delete it again when the fix is in, so that the permissions do not step on
>>> each other.
>>
>> Actually, wait a minute. I think Rob's ACI example may be too wide, it may
>> expose any attribute in the compat tree, including a potential userPassword.
> 
> The ACI was on his custom cn=canlogin subtree, not all of cn=compat.
> 
>> As I see, it seems that slapi-nis plugin do not fortunately expose that, but it
>> is safer to just list the attributes that one wants to display (this is also
>> what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more).
>>
>> I added a respective permission via Web UI (one part of it cannot be added via
>> CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now
>> works for me. See attached example.
>>
>> Resulting permission shown in CLI:
>>
>> # ipa permission-show "TEMPORARY - Read compat tree"
>>   Permission name: TEMPORARY - Read compat tree
>>   Granted rights: read, search, compare
>>   Effective attributes: cn, description, gecos, gidnumber, homedirectory,
>> loginshell, memberuid,
>>                         objectclass, uid, uidnumber
>>   Bind rule type: all
>>   Subtree: dc=mkosek-fedora20,dc=test
>>   ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test
>>
>> It is much easier to manipulate than ACI added via ldapmodify.
> 
> I see you filed a bug on the missing CLI option. That's why I did the
> ACI, because I couldn't demonstrate how to add this ACI on the CLI. I
> hadn't gotten around to doing that last night.
> 
> rob

Right. Surprisingly, the option was available in Web UI, thus the Web UI
screenshot I attached to the thread :) But we have the CLI option fixed
already, will be part of FreeIPA 4.0.2 which will be released very soon.

Martin