Hello,

The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins.


We talked about this with Martin and agreed that there's no sensitive information in the service entries.
This patch grants read access to all authenticated users.

Simo, is this OK?

--
PetrĀ³
From 1be7481fd8521a133fc751c46df4faebcfdce58c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 4 Jul 2014 13:19:37 +0200
Subject: [PATCH] Allow read access to services in cn=masters to auth'd users

---
 install/updates/20-aci.update | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 5c4d1a1e3a90fc92effc8cd08c5220a2c382a8c7..9bbb7e4bb8d51b3d957d1f63d2c889e793276598 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -28,9 +28,9 @@ dn: $SUFFIX
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
 
-# Read access to masters (but not their services)
+# Read access to masters and their services
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
+add:aci:'(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
 
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to