On 09/03/2014 07:55 AM, Alexander Bokovoy wrote: > Switching to freeipa-devel@ since it is an important issue. > > On Tue, 02 Sep 2014, Rob Crittenden wrote: >> Chris Whittle wrote: >>> If I do this >>> >>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D >>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword' >>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com" >>> >>> It works fine >> >> AFAICT there currently isn't a permission for the compat tree. The admin >> user can do it via 'Admin can manage any entry" and of course DM can do >> it because it can do anything. >> >> A temporary workaround would be to add an aci manually: >> >> dn: dc=example,dc=com >> changetype: modify >> add: aci >> aci: (targetattr = "*")(target = >> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl >> "Read canlogin compat tree";allow (compare,read,search) userdn = >> "ldap:///all";) >> >> This won't show up as a permission and will grant all authenticated >> users read access to the canlogin compat tree. I'm assuming here this >> contains entries keyed on uid. > We have several use-cases for compat tree and I wonder what to do with > completely unauthenticated case? Do we still want to support that?
Wouldn't hiding the compat tree only to authenticated users limit our Legacy Client feature? See "ipa-advise config-redhat-nss-ldap", this advise would stop working after this change, right? We already show selected subset of attributes to anonymous, I think we should continue with that: # ipa permission-show "System: Read User Standard Attributes" Permission name: System: Read User Standard Attributes Granted rights: read, compare, search Effective attributes: cn, description, displayname, gecos, gidnumber, givenname, homedirectory, initials, ipantsecurityidentifier, loginshell, manager, objectclass, sn, title, uid, uidnumber Default attributes: displayname, description, title, objectclass, loginshell, ipantsecurityidentifier, uidnumber, gidnumber, initials, manager, gecos, sn, homedirectory, givenname, cn, uid Bind rule type: anonymous Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test Type: user > Exposing the same data anonymously over compat tree when it is available > only for authenticated users over primary tree isn't secure. If you check cn=users,cn=Schema Compatibility,cn=plugins,cn=config you would see that we only allow attributes we already expose to anonymous as in the basic permission. So it is not that bad. But maybe we should add a new internal "link" between standard and compat tree permissions and issue a warning when visibility of one is changed... Regarding missing compat permissions, I would personally add these: System: Read User Compat Tree System: Read Group Compat Tree System: Read Host Compat Tree System: Read Netgroup Compat Tree so that they are close to their standard tree alternatives. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel