On 06/20/2014 05:51 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote:
On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
...
I think we should just make a note to self to allow users to fix the
ACIs manually should they run into the problem while being unable to
upgrade for whatever reason.

So we only seem to dereference member and memberof. We dereference either user
groups to get users, host groups to get hosts. For hosts we are
interested about these attributes:
     "ipa_host_object_class"
     "ipa_host_name"
     "ipa_host_fqdn"
     "ipa_host_serverhostname"
     "ipa_host_member_of"
     "ipa_host_ssh_public_key"
     "ipa_host_uuid"

For users and groups, the list is longer and can be found here:
https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ipa/ipa_opts.h#n166

Look for ipa_user_map and ipa_group_map.

But in general I agree with Simo that we shouldn't spend too much time
on this when the DS is fixed.

Ok, makes sense.




For IPA we only care about memberof, but keep in mind that attribute
maps in SSSD are configurable.

Hm, makes the option 2) even more challenging...


But because the ACIs would only be applied on IPA servers, I think we
can limit ourselves to the IPA schema only for the workaround.

Thanks all for responses. It seems that plan is clear:

1) Prepare a fix for DS deref access control issue (https://fedorahosted.org/389/ticket/47821). Ludwig, could you now please start working on this one? It takes precedence before 4.1 or 4.2 work you were working on.

2) Backport the fix to supported platforms along with other ACI fixes that Ludwig already found - Fedora 19 (?), Fedora 20, next RHEL-6.x.

3) 4.0 release note will contain a warning about the minimal DS version of the replicas. We will have a workaround ready based on the data that Jakub provided in case someone hit the issue and cannot update to fixes DS version.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to