On 09/03/2014 10:45 AM, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
[...]
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.


If you check
cn=users,cn=Schema Compatibility,cn=plugins,cn=config
you would see that we only allow attributes we already expose to
anonymous as
in the basic permission. So it is not that bad.

For users, yes. I assume we want the others to be authenticated only?

But maybe we should add a new internal "link" between standard and
compat tree
permissions and issue a warning when visibility of one is changed...

Regarding missing compat permissions, I would personally add these:

System: Read User Compat Tree
System: Read Group Compat Tree
System: Read Host Compat Tree
System: Read Netgroup Compat Tree

Also, what about sudoers?


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to