On Wed, 16 Apr 2014, Martin Kosek wrote:
>In general I am not sure all authenticated users need access to all this
>info. Alexander ?
SSSD needs to read some of this information for subdomains support.
That would be at least host/*@REALM who needs to access it.


Can you please list exactly which ones are needed ?
SSSD subdomains support needs:
  - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
    - ipaNTFlatName
    - ipaNTSecurityIdentifier
    - ipaNTTrustedDomainSID
    - cn

Question is - is there any added value in hiding part of the
trust information from authenticated users? I.e. attributes like
ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
attribute anyway?), SID blacklists...
Yes. Some of those attributes are needed as internal detail of ipasam --
part of how Samba stores this information taken from specific DCE RPC
structures.

If yes, we would need to split this permission in 2 and have one for
authenticated users and one for "Trust Adminitrators" and "Trust Readers".
Yes. Authenticated users shouldn't get any access to those details:
  ipantsupportedencryptiontypes
  ipanttrustattributes
  ipanttrustauthincoming
  ipanttrustauthoutgoing



Ok. I assume that "cn=adtrust agents,cn=sysaccounts,SUFFIX" system group should
then have this permission assigned so that samba can operate the attributes.
'adtrust agents' and 'trust administrators' should have read, modify,
delete, and search on cn=trusts.


Right. We will probably want to turn most of ACIs in
install/updates/60-trusts.update in managed permissions (i.e. defined in
trust.py) and make "adtrust agents" and "trust admins" it's members.
I agree.
--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to