Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring.
I was working with Ludwig, there is a problem in the way how deref plugin checks the access to the referenced entry. Instead of checking the target entry itself, Ludwig found out that the deref plugin checks a dummy entry created from the dereferenced DN, not the real entry. Details in DS ticket: https://fedorahosted.org/389/ticket/47821 Previously, we allowed read access globally so it worked fine. Now, when we have targeted ACIs using objectclass targetfilter, the access control goes wrong, deref plugin does not return all attributes and SSSD does not work (see 4389). Question is, what should we do in 4.0. We could have the DS team to fix the deref plugin, but this would break SSSD connected to old RHEL/CentOs 6.x replicas which would not have the fix. So we need to be cautious about this one. I see couple ways: 1) Fix DS deref plugin in F20 and next RHEL 6.x and specify the RHEL-6.x as minimal version of FreeIPA/DS required when replicating with FreeIPA 4.0. This option is a bit clumsy. 2) Add temporary ACIs allowing access to attributes that SSSD needs for deref calls. I tested it with Jakub's example call and it fixed this query: # ipa permission-add --subtree cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com --right={read,search,compare} --attrs={objectclass,memberof,managedby} --bindtype all deref_managedby # kinit -kt /etc/krb5.keytab # ldapsearch -Y GSSAPI -h vm-236.idm.lab.eng.brq.redhat.com -b fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com -E 'deref=managedBy:objectClass' ... dn: fqdn=vm-086.idm.lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab, dc=eng,dc=brq,dc=redhat,dc=com control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAEgMIQAAAEaBAltYW5hZ2VkQnkEaGZxZ G49dm0tMDg2LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20sY249Y29tcHV0ZXJzLGNuPWFjY291bnRzLG RjPWlkbSxkYz1sYWIsZGM9ZW5nLGRjPWJycSxkYz1yZWRoYXQsZGM9Y29toIQAAACfMIQAAACZBAt vYmplY3RDbGFzczGEAAAAhgQJaXBhb2JqZWN0BA1pZWVlODAyZGV2aWNlBAZuc2hvc3QECmlwYXNl cnZpY2UEB3BraXVzZXIEB2lwYWhvc3QEDGtyYnByaW5jaXBhbAQPa3JicHJpbmNpcGFsYXV4BAppc GFzc2hob3N0BAN0b3AEFGlwYVNzaEdyb3VwT2ZQdWJLZXlz # managedBy: <objectClass=ipaobject>;<objectClass=ieee802device>;<objectClass =nshost>;<objectClass=ipaservice>;<objectClass=pkiuser>;<objectClass=ipahost >;<objectClass=krbprincipal>;<objectClass=krbprincipalaux>;<objectClass=ipas shhost>;<objectClass=top>;<objectClass=ipaSshGroupOfPubKeys>;fqdn=vm-086.idm .lab.bos.redhat.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc= redhat,dc=com Jakub, what else would we need to allow? After this change, login/sudo seemed to work for me on F20. The ACIs would be removed when all our supported DS versions have the deref plugin fixed. -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel