On Tue, 2014-04-01 at 13:32 +0200, Martin Kosek wrote: > On 03/31/2014 06:01 PM, Simo Sorce wrote: > > On Mon, 2014-03-31 at 15:39 +0200, Martin Kosek wrote: > >> On 03/31/2014 02:53 PM, Simo Sorce wrote: > >>> On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote: > >> ... > >>>>> 3) Add a special attribute to mark "public" containers, and add an ACI > >>>>> with a filter on that. Something like objectClass=ipaPublicContainer > >>>>> would do. > >>>> there is one more option > >>>> 4) add an allow aci for cn=accounts,$S and a deny aci for > >>>> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S > >>> > >>> We want to get rid of deny ACIs if at all possible. > >>> > >>>> In general I think we should implement 1), there will be other scenarios > >>>> where it could be useful. If something is needed imemdiately I would > >>>> also prefer 3) > >>> > >>> I wonder, can we have an objectclass that defines no attributes ? > >>> Or do we always need to have a MAY at least ? > >> > >> This particular objectclass could have just one MUST attribute - cn. > >> Similarly > >> to what nsContainer has. > >> > >>> Anyway I agree that the simplest solution would be to have an > >>> objectclass to filter on. > >>> > >>> But I see 2 options. > >>> 1. objectClass=ipaPublicContainer > >>> 2. objectClass=ipaPrivateContainer > >>> > >>> The problem with the second is adding a > >>> (!(objectclass=ipaPrivateContainer)) everywhere ... > >>> > >> > >> I already elaborated on that topic later in this thread, please check it. > >> It > >> also includes an attached list of container we already have. IMO most of > >> containers we have will be public, rather than private as LDAP > >> nsContainer's cn > >> attribute is semantically not meant to contain secrets we want to hide. > >> > >> So instead of adding 61 ipaPublicContainer everywhere I would just allow > >> reading nsContainers (cn+objectclass) anonymously + have > >> ipaPrivateContainer > >> available in case we need it (I am not aware of any such case though). > > > > Yeah sorry, I replied in order. > > > > I agree with your proposal of allowing (objectclass=nsContainer) and a > > targetfilter that simply excludes the cn=etc subtree. > > > > Simo. > > Ok. I just wonder if we really need the ipaPrivateContainer ACI exception. We > may want to wait with such objectclass unless it is really needed. For now, it > did not seem to me that there is any entry where it is needed.
I would hold on as well. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
