On Fri, 2014-04-18 at 15:49 +0200, Martin Kosek wrote: > On 04/18/2014 03:43 PM, Simo Sorce wrote: > > On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote: > >> This extends the "Anonymous read access to containers" ACI to cover > >> cn=etc, as discussed in [0]. > >> > >> A new objectClass is added so we can exclude virtual ops with > >> targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23). > >> > >> > >> [0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html > >> > > > > LGTM > > > > It works perfectly except one subtree we missed during initial review and > which > we should discuss: > > cn=replicas,cn=ipa,cn=etc,SUFFIX > > It contains list of replicas (not FreeIPA masters) connected to FreeIPA. > Currently, this only affects Winsync replicas. > > I just verified that anonymous user can retrieve list of connected ADs via > winsync. Question is, how to prevent it given that this is created dynamically > also by older FreeIPA server and given that it has no special objectsclass to > base a filtration on. > > Maybe we would need to add a deny ACI in this case after all?
Or we can add an objectclass here too, the update script will then need to look at existing objects dynamically and update them. However we could also ass a deny aci only in this subtree for now and change it later, if we think that's too much work. We have plans to revisit shared replica information storage anyway, so perhaps it is not worth spending too much time on this now. Simo. _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
