On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
> On Wed, 16 Apr 2014, Simo Sorce wrote:
>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>> >> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>> >> +                'ipanttrustposixoffset',
>>> >> 'ipantsupportedencryptiontypes',
>>> >> +                'ipantsidblacklistincoming',
>>> >> 'ipantsidblacklistoutgoing',
>>> >> +                # ipaNTDomainAttrs:
>>> >> +                'ipantsecurityidentifier', 'ipantflatname',
>>> >> 'ipantdomainguid',
>>> >> +                'ipantfallbackprimarygroup',
>>> >> +            },
>>> >> +        },
>>> >> +    }
>>> >>
>>> >>      label = _('Trusts')
>>> >>      label_singular = _('Trust')
>>> >
>>> >In general I am not sure all authenticated users need access to all this
>>> >info. Alexander ?
>>> SSSD needs to read some of this information for subdomains support.
>>> That would be at least host/*@REALM who needs to access it.
>>
>> Can you please list exactly which ones are needed ?
> SSSD subdomains support needs:
>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>     - ipaNTFlatName
>     - ipaNTSecurityIdentifier
>     - ipaNTTrustedDomainSID
>     - cn

Question is - is there any added value in hiding part of the
trust information from authenticated users? I.e. attributes like
ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
attribute anyway?), SID blacklists...

If yes, we would need to split this permission in 2 and have one for
authenticated users and one for "Trust Adminitrators" and "Trust Readers".

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to