On 07/04/2014 03:55 PM, Petr Viktorin wrote:
On 07/04/2014 03:40 PM, Martin Kosek wrote:
On 07/04/2014 02:49 PM, Petr Viktorin wrote:
Hello,

The dns-is-enabled command, used by the Web UI to determine if DNS
pages should
be displayed, queries '(&(objectClass=ipaConfigObject)(cn=DNS))' in
cn=masters.
However, currently the service entries are not accessible to all
users, so the
check will fail for non-admins.

We talked about this with Martin and agreed that there's no sensitive
information in the service entries.
This patch grants read access to all authenticated users.

Simo, is this OK?


I think this change is OK. We also only expose the service name, we do
not expose any additional setting.

Would it make sense though that we instead of creating an ACI for
cn=masters, we would just update the 'Anonymous read access to
containers' ACI and remove the
'target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";' part?

That would grant *anonymous* access the masters & services. Do we want that?

Hmm, no, I do not think this we want to do that.

Your change looks good to me then. Besides others, it fixes
https://fedorahosted.org/freeipa/ticket/4425
so I added it to patch description.

ACK. Pushed to master: 23feb4e0271d6876e2137f301f209a9f3af19084

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to