Switching to freeipa-devel@ since it is an important issue.

On Tue, 02 Sep 2014, Rob Crittenden wrote:
Chris Whittle wrote:
If I do this

ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
"uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
-b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"

It works fine

AFAICT there currently isn't a permission for the compat tree. The admin
user can do it via 'Admin can manage any entry" and of course DM can do
it because it can do anything.

A temporary workaround would be to add an aci manually:

dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*")(target =
"ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com";)(version 3.0;acl
"Read canlogin compat tree";allow (compare,read,search) userdn =
"ldap:///all";;)

This won't show up as a permission and will grant all authenticated
users read access to the canlogin compat tree. I'm assuming here this
contains entries keyed on uid.
We have several use-cases for compat tree and I wonder what to do with
completely unauthenticated case? Do we still want to support that?

Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure. --
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to