URL: https://github.com/freeipa/freeipa/pull/2197 Author: flo-renaud Title: #2197: [Backport][ipa-4-6] Allow anonymous access to parentID attribute Action: opened
PR body: """ Manual backport to ipa-4-6 of PR #1752 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2197/head:pr2197 git checkout pr2197
From 3eb611f1502eb7216f328f2de6b95f7d8bc4b918 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Wed, 28 Mar 2018 12:39:12 +0300 Subject: [PATCH] Allow anonymous access to parentID attribute Due to optimizations in 389-ds performed as result of https://pagure.io/389-ds-base/issue/49372, LDAP search filter is rewritten to include parentID information. It implies that parentID has to be readable for a bound identity performing the search. This is what 389-ds expects right now but FreeIPA DS instance does not allow it. As result, searches with a one-level scope fail to return results that otherwise are matched in a sub scope search. While 389-ds developers are working on the fix for issue https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an explicit ACI to allow reading parentID attribute at the suffix level. Fixes: https://pagure.io/freeipa/issue/7466 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> Reviewed-By: Christian Heimes <chei...@redhat.com> --- install/updates/20-aci.update | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index bab3141445..184749d781 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -21,6 +21,10 @@ add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other hos dn: $SUFFIX add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";) +# Read access to parentID information to allow filter optimizations in 389-ds +dn: $SUFFIX +add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";) + # Read access to containers dn: $SUFFIX add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/C2IWIV7BMC5L6EYQRQGCRFMWC7AIETKE/