On 09/03/2014 07:55 AM, Alexander Bokovoy wrote:
> Switching to freeipa-devel@ since it is an important issue.
> On Tue, 02 Sep 2014, Rob Crittenden wrote:
>> Chris Whittle wrote:
>>> If I do this
>>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D
>>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword'
>>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com"
>>> It works fine
>> AFAICT there currently isn't a permission for the compat tree. The admin
>> user can do it via 'Admin can manage any entry" and of course DM can do
>> it because it can do anything.
>> A temporary workaround would be to add an aci manually:
>> dn: dc=example,dc=com
>> changetype: modify
>> add: aci
>> aci: (targetattr = "*")(target =
>> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl
>> "Read canlogin compat tree";allow (compare,read,search) userdn =
>> This won't show up as a permission and will grant all authenticated
>> users read access to the canlogin compat tree. I'm assuming here this
>> contains entries keyed on uid.
> We have several use-cases for compat tree and I wonder what to do with
> completely unauthenticated case? Do we still want to support that?
Wouldn't hiding the compat tree only to authenticated users limit our Legacy
Client feature? See "ipa-advise config-redhat-nss-ldap", this advise would stop
working after this change, right?
We already show selected subset of attributes to anonymous, I think we should
continue with that:
# ipa permission-show "System: Read User Standard Attributes"
Permission name: System: Read User Standard Attributes
Granted rights: read, compare, search
Effective attributes: cn, description, displayname, gecos, gidnumber,
initials, ipantsecurityidentifier, loginshell, manager,
objectclass, sn, title,
Default attributes: displayname, description, title, objectclass, loginshell,
uidnumber, gidnumber, initials, manager, gecos, sn,
homedirectory, givenname, cn,
Bind rule type: anonymous
> Exposing the same data anonymously over compat tree when it is available
> only for authenticated users over primary tree isn't secure.
If you check
you would see that we only allow attributes we already expose to anonymous as
in the basic permission. So it is not that bad.
But maybe we should add a new internal "link" between standard and compat tree
permissions and issue a warning when visibility of one is changed...
Regarding missing compat permissions, I would personally add these:
System: Read User Compat Tree
System: Read Group Compat Tree
System: Read Host Compat Tree
System: Read Netgroup Compat Tree
so that they are close to their standard tree alternatives.
Freeipa-devel mailing list