On 06/19/2014 04:50 PM, Martin Kosek wrote:
On 06/19/2014 03:59 PM, Petr Viktorin wrote:
On 06/19/2014 02:19 PM, Martin Kosek wrote:
On 06/19/2014 01:39 PM, Petr Viktorin wrote:
See commit message.

This was found in the review of host write permissions (my patches 0578-0579).

Wouldn't it be better to filter based on objectclass? I.e.:

(targetfilter="(!(objectclass=ipaConfigObject))"

instead of DN based target filter? It seems to me that it is more resilient to
changes in LDAP structure, in case we change RDN or make one more level like
(just example):

cn=DNSSEC,cn=DNS,cn=ipa.master.test,...

Sure, fixed patch attached.

/me sighs. I took the information for granted and I did not read the ACI
carefully and did not notice you sent wrong patch which I pushed... Could we
please fix the filter and remove the target part now?

Thanks,
Martin

Sorry for that :(
Here is a fix patch.


--
PetrĀ³
From 0c4410eb6b4baa3bd3288e86c48987eb1b24f7cd Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 19 Jun 2014 13:01:06 +0200
Subject: [PATCH] Fix: Allow read access to masters, but not their services, to
 auth'd users

Fixes commit b243da415ecb2c28b5aa9bc563595efe35a40987

A bad version of the patch was sent and pushed.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/20-aci.update | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index a10eb407700d352634d04c1e33dc996af6aaf87d..42fca71f33cfa2e4f145ed2bfc6faf35d82ecc05 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -30,7 +30,7 @@ dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 
 # Read access to masters (but not their services)
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
+add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
 
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to