On Mon, 2014-03-31 at 15:39 +0200, Martin Kosek wrote: > On 03/31/2014 02:53 PM, Simo Sorce wrote: > > On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote: > ... > >>> 3) Add a special attribute to mark "public" containers, and add an ACI > >>> with a filter on that. Something like objectClass=ipaPublicContainer > >>> would do. > >> there is one more option > >> 4) add an allow aci for cn=accounts,$S and a deny aci for > >> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S > > > > We want to get rid of deny ACIs if at all possible. > > > >> In general I think we should implement 1), there will be other scenarios > >> where it could be useful. If something is needed imemdiately I would > >> also prefer 3) > > > > I wonder, can we have an objectclass that defines no attributes ? > > Or do we always need to have a MAY at least ? > > This particular objectclass could have just one MUST attribute - cn. Similarly > to what nsContainer has. > > > Anyway I agree that the simplest solution would be to have an > > objectclass to filter on. > > > > But I see 2 options. > > 1. objectClass=ipaPublicContainer > > 2. objectClass=ipaPrivateContainer > > > > The problem with the second is adding a > > (!(objectclass=ipaPrivateContainer)) everywhere ... > > > > I already elaborated on that topic later in this thread, please check it. It > also includes an attached list of container we already have. IMO most of > containers we have will be public, rather than private as LDAP nsContainer's > cn > attribute is semantically not meant to contain secrets we want to hide. > > So instead of adding 61 ipaPublicContainer everywhere I would just allow > reading nsContainers (cn+objectclass) anonymously + have ipaPrivateContainer > available in case we need it (I am not aware of any such case though).
Yeah sorry, I replied in order. I agree with your proposal of allowing (objectclass=nsContainer) and a targetfilter that simply excludes the cn=etc subtree. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
