On 05/03/2013 04:20 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 05/01/2013 03:33 PM, Nathaniel McCallum wrote: >>> Below is my first stab at ACLs. They don't actually work right, but I'm not >>> sure what I've done wrong. The basic gist is that nobody gets any >>> permissions by default. Admins get full permissions and users get limited >>> permissions for their own tokens. Any help would be appreciated. >> >> We have an ACI allowing read access to all attributes or trees that were not >> forbidden: >> >> aci: (target != >> "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c >> om")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || >> sam >> baNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || >> ipaN >> TTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable >> Anony >> mous access"; allow (read, search, compare) userdn = "ldap:///anyone";) >> >> If you want to hide some attributes from regular users and only allow them to >> be read by admins, you need to extend targetattr list. This can be done in >> ipaserver/install/plugins/update_anonymous_aci.py. >> >>> >>> Nathaniel >>> >>> dn: $SUFFIX >>> changetype: modify >>> add: aci >>> aci: (targetattrs = "ipatokenRadiusConfigLink || >>> ipatokenRadiusUserName")(version 3.0; acl "RADIUS user configuration is >>> priviledged"; deny (all) userdn = "ldap:///all";) >>> aci: (targetattrs = "ipatokenRadiusConfigLink || >>> ipatokenRadiusUserName")(version 3.0; acl "Admins can manage RADIUS user >>> configuration"; allow (all) >>> groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >> >> deny rule will override the allow rule so this won't allow admins to do >> anything. Couldn't we just add ipatokenRadiusConfigLink and >> ipatokenRadiusUserName to the global ACI blacklist above? Then you could >> delete >> both ACIs. Admins read&write access is already allowed by this ACI: >> >> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || >> sam >> baNTPassword || passwordHistory || krbMKey || krbPrincipalName || >> krbCanonica >> lName || krbUPEnabled || krbTicketPolicyReference || >> krbPrincipalExpiration | >> | krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || >> krbPw >> dHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || >> krbLas >> tSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId >> || >> memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl >> "Ad >> min can manage any entry"; allow (all) groupdn = >> "ldap:///cn=admins,cn=groups >> ,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com";) >> >>> aci: (targetfilter = >>> "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; >>> acl "RADIUS configuration is priviledged"; deny (all) userdn = >>> "ldap:///all";) >>> aci: (targetfilter = >>> "(objectClass=ipatokenRadiusConfiguration)")(targetattrs = "*")(version 3.0; >>> acl "Admins can manage RADIUS configuration"; allow (all) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >> >> This won't work from the reasons above. Maybe we should add >> >> (targetfilter != "(objectClass=ipatokenRadiusConfiguration)") >> >> to the global ACI? >> >>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version >>> 3.0; acl "Token configuration is priviledged"; deny (all) userdn = >>> "ldap:///all";) >>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = "*")(version >>> 3.0; acl "Admins can manage token configuration"; allow (all) groupdn = >>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >> >> We would just update global ACI. >> >>> aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs = >>> "ipatokenUniqueID || description || ipatokenOwner || ipatokenNotBefore || >>> ipatokenNotAfter || ipatokenVendor || ipatokenModel || >>> ipatokenSerial")(version 3.0; acl "Users can read/add basic token info"; >>> allow (read, add, search, compare) userattr = "ipatokenOwner#USERDN";) >> >> Looks ok. >> >>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>> "*")(version 3.0; acl "TOTP Token configuration is priviledged"; deny (all) >>> userdn = "ldap:///all";) >>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>> "*")(version 3.0; acl "Admins can manage TOTP token configuration"; allow >>> (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) >> >> We would just update global ACI. >> >>> aci: (targetfilter = "(objectClass=ipatokenTOTP)")(targetattrs = >>> "ipatokenOTPkey || ipatokenOTPalgorithm || ipatokenOTPdigits || >>> ipatokenTOTPclockOffset || ipatokenTOTPtimeStep")(version 3.0; acl "Users >>> can add TOTP token secrets"; allow (add, search) userattr = >>> "ipatokenOwner#USERDN";) >> >> Looks ok. >> >> Rob, Simo - does this proposal seams reasonable? > > Yes, this is the direction I've been moving this morning, doing some > experimentation now using targetfilter. I'l be happy if we can avoid adding > all > these attributes to the global ACI. > > rob >
Not sure if we can avoid it though given our current ACI allowing access to anything that is not blacklisted in it. I think that update global ACI should look like that: aci: (target != "ldap:///idnsname=*,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipatokenRadiusConfigLink || ipatokenRadiusUserName")(targetfilter = "(&(objectClass!=ipatokenRadiusConfiguration)(objectClass!=ipaToken)(objectClass!=ipatokenTOTP))")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) I agree this is getting awkward, in this we will need to change the ACI structure. There is already an open ticket for that: https://fedorahosted.org/freeipa/ticket/3566 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel