On Wed, 16 Apr 2014, Martin Kosek wrote:
On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
On Wed, 16 Apr 2014, Simo Sorce wrote:
>> + 'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>> + 'ipanttrustposixoffset',
>> 'ipantsupportedencryptiontypes',
>> + 'ipantsidblacklistincoming',
>> 'ipantsidblacklistoutgoing',
>> + # ipaNTDomainAttrs:
>> + 'ipantsecurityidentifier', 'ipantflatname',
>> 'ipantdomainguid',
>> + 'ipantfallbackprimarygroup',
>> + },
>> + },
>> + }
>>
>> label = _('Trusts')
>> label_singular = _('Trust')
>
>In general I am not sure all authenticated users need access to all this
>info. Alexander ?
SSSD needs to read some of this information for subdomains support.
That would be at least host/*@REALM who needs to access it.
Can you please list exactly which ones are needed ?
SSSD subdomains support needs:
- objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
- ipaNTFlatName
- ipaNTSecurityIdentifier
- ipaNTTrustedDomainSID
- cn
Question is - is there any added value in hiding part of the
trust information from authenticated users? I.e. attributes like
ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
attribute anyway?), SID blacklists...
Yes. Some of those attributes are needed as internal detail of ipasam --
part of how Samba stores this information taken from specific DCE RPC
structures.
If yes, we would need to split this permission in 2 and have one for
authenticated users and one for "Trust Adminitrators" and "Trust Readers".
Yes. Authenticated users shouldn't get any access to those details:
ipantsupportedencryptiontypes
ipanttrustattributes
ipanttrustauthincoming
ipanttrustauthoutgoing
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
