See commit message.

This was found in the review of host write permissions (my patches 0578-0579).

From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <>
Date: Thu, 19 Jun 2014 13:01:06 +0200
Subject: [PATCH] Allow read access to masters, but not their services, to
 auth'd users

The ipa host-del command checks if the host to be deleted is an
IPA master by looking up the entry in cn=masters.
If the entry is not accessible, host-del would proceed to delete
the host.
Thus we need to allow reading the master entries to at least
those that can delete hosts.
Since the host information is also available via DNS, it makes
no sense be extremely secretive about it.

Part of the work for:
 install/updates/20-aci.update | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 6af800111f30d26d37ceb0849f8730a3e15dad0b..a10eb407700d352634d04c1e33dc996af6aaf87d 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -28,6 +28,10 @@ dn: $SUFFIX
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
+# Read access to masters (but not their services)
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX
 add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";;)'

Freeipa-devel mailing list

Reply via email to