On 07/04/2014 03:40 PM, Martin Kosek wrote:
On 07/04/2014 02:49 PM, Petr Viktorin wrote:
Hello,

The dns-is-enabled command, used by the Web UI to determine if DNS
pages should
be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in
cn=masters.
However, currently the service entries are not accessible to all
users, so the
check will fail for non-admins.

We talked about this with Martin and agreed that there's no sensitive
information in the service entries.
This patch grants read access to all authenticated users.

Simo, is this OK?


I think this change is OK. We also only expose the service name, we do
not expose any additional setting.

Would it make sense though that we instead of creating an ACI for
cn=masters, we would just update the 'Anonymous read access to
containers' ACI and remove the
'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";' part?

That would grant *anonymous* access the masters & services. Do we want that?

Given that this ACI is in the DIT root, I would like to keep it as
simple as possible for performance reasons.


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to