The dns-is-enabled command, used by the Web UI to determine if DNS pages should be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in cn=masters. However, currently the service entries are not accessible to all users, so the check will fail for non-admins.

We talked about this with Martin and agreed that there's no sensitive information in the service entries.
This patch grants read access to all authenticated users.

Simo, is this OK?

From 1be7481fd8521a133fc751c46df4faebcfdce58c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 4 Jul 2014 13:19:37 +0200
Subject: [PATCH] Allow read access to services in cn=masters to auth'd users

 install/updates/20-aci.update | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 5c4d1a1e3a90fc92effc8cd08c5220a2c382a8c7..9bbb7e4bb8d51b3d957d1f63d2c889e793276598 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -28,9 +28,9 @@ dn: $SUFFIX
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
-# Read access to masters (but not their services)
+# Read access to masters and their services
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
-add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
+add:aci:'(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)'
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX

Freeipa-devel mailing list

Reply via email to