On 04/16/2014 05:22 PM, Alexander Bokovoy wrote: > On Wed, 16 Apr 2014, Martin Kosek wrote: >> On 04/16/2014 05:10 PM, Alexander Bokovoy wrote: >>> On Wed, 16 Apr 2014, Martin Kosek wrote: >>>> On 04/16/2014 03:59 PM, Alexander Bokovoy wrote: >>>>> On Wed, 16 Apr 2014, Simo Sorce wrote: >>>>>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote: >>>>>>> On Wed, 16 Apr 2014, Simo Sorce wrote: >>>>>>> >> + 'ipanttrusteddomainsid', >>>>>>> >> 'ipanttrustforesttrustinfo', >>>>>>> >> + 'ipanttrustposixoffset', >>>>>>> >> 'ipantsupportedencryptiontypes', >>>>>>> >> + 'ipantsidblacklistincoming', >>>>>>> >> 'ipantsidblacklistoutgoing', >>>>>>> >> + # ipaNTDomainAttrs: >>>>>>> >> + 'ipantsecurityidentifier', 'ipantflatname', >>>>>>> >> 'ipantdomainguid', >>>>>>> >> + 'ipantfallbackprimarygroup', >>>>>>> >> + }, >>>>>>> >> + }, >>>>>>> >> + } >>>>>>> >> >>>>>>> >> label = _('Trusts') >>>>>>> >> label_singular = _('Trust') >>>>>>> > >>>>>>> >In general I am not sure all authenticated users need access to all >>>>>>> >this >>>>>>> >info. Alexander ? >>>>>>> SSSD needs to read some of this information for subdomains support. >>>>>>> That would be at least host/*@REALM who needs to access it. >>>>>> >>>>>> Can you please list exactly which ones are needed ? >>>>> SSSD subdomains support needs: >>>>> - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs >>>>> - ipaNTFlatName >>>>> - ipaNTSecurityIdentifier >>>>> - ipaNTTrustedDomainSID >>>>> - cn >>>> >>>> Question is - is there any added value in hiding part of the >>>> trust information from authenticated users? I.e. attributes like >>>> ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this >>>> attribute anyway?), SID blacklists... >>> Yes. Some of those attributes are needed as internal detail of ipasam -- >>> part of how Samba stores this information taken from specific DCE RPC >>> structures. >>> >>>> If yes, we would need to split this permission in 2 and have one for >>>> authenticated users and one for "Trust Adminitrators" and "Trust Readers". >>> Yes. Authenticated users shouldn't get any access to those details: >>> ipantsupportedencryptiontypes >>> ipanttrustattributes >>> ipanttrustauthincoming >>> ipanttrustauthoutgoing >>> >>> >> >> Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group >> should >> then have this permission assigned so that samba can operate the attributes. > 'adtrust agents' and 'trust administrators' should have read, modify, > delete, and search on cn=trusts. >
Right. We will probably want to turn most of ACIs in install/updates/60-trusts.update in managed permissions (i.e. defined in trust.py) and make "adtrust agents" and "trust admins" it's members. It'd make the ACIs more maintainable and install/updates/60-trusts.update would get much shorter. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel