Martin Kosek wrote:
On 05/01/2013 03:33 PM, Nathaniel McCallum wrote:
Below is my first stab at ACLs. They don't actually work right, but I'm not 
sure what I've done wrong. The basic gist is that nobody gets any permissions 
by default. Admins get full permissions and users get limited permissions for 
their own tokens. Any help would be appreciated.


We have an ACI allowing read access to all attributes or trees that were not
forbidden:

aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
  om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
  baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaN
  TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anony
  mous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)

If you want to hide some attributes from regular users and only allow them to
be read by admins, you need to extend targetattr list. This can be done in
ipaserver/install/plugins/update_anonymous_aci.py.


Nathaniel

dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattrs = "ipatokenRadiusConfigLink || ipatokenRadiusUserName")(version 3.0; acl 
"RADIUS user configuration is priviledged"; deny (all) userdn = "ldap:///all";;)
aci: (targetattrs = "ipatokenRadiusConfigLink || ipatokenRadiusUserName")(version 3.0; acl 
"Admins can manage RADIUS user configuration"; allow (all) 
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

deny rule will override the allow rule so this won't allow admins to do
anything. Couldn't we just add ipatokenRadiusConfigLink and
ipatokenRadiusUserName to the global ACI blacklist above? Then you could delete
both ACIs. Admins read&write access is already allowed by this ACI:

aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sam
  baNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonica
  lName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration |
  | krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPw
  dHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLas
  tSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId ||
   memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Ad
  min can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups
  ,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com";)

aci: (targetfilter = "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; 
acl "RADIUS configuration is priviledged"; deny (all) userdn = "ldap:///all";;)
aci: (targetfilter = "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; 
acl "Admins can manage RADIUS configuration"; allow (all) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

This won't work from the reasons above. Maybe we should add

(targetfilter != "(objectClass=ipatokenRadiusConfiguration)")

to the global ACI?

aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version 3.0; acl "Token 
configuration is priviledged"; deny (all) userdn = "ldap:///all";;)
aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version 3.0; acl "Admins can 
manage token configuration"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

We would just update global ACI.

aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "ipatokenUniqueID || description || 
ipatokenOwner || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || 
ipatokenSerial")(version 3.0; acl "Users can read/add basic token info"; allow (read, add, search, 
compare) userattr = "ipatokenOwner#USERDN";)

Looks ok.

aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "*")(version 3.0; acl "TOTP 
Token configuration is priviledged"; deny (all) userdn = "ldap:///all";;)
aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "*")(version 3.0; acl "Admins 
can manage TOTP token configuration"; allow (all) groupdn = 
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)

We would just update global ACI.

aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = "ipatokenOTPkey || ipatokenOTPalgorithm 
|| ipatokenOTPdigits || ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users can add 
TOTP token secrets"; allow (add, search) userattr = "ipatokenOwner#USERDN";)

Looks ok.

Rob, Simo - does this proposal seams reasonable?

Yes, this is the direction I've been moving this morning, doing some experimentation now using targetfilter. I'l be happy if we can avoid adding all these attributes to the global ACI.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to