On 09/03/2014 04:51 PM, Simo Sorce wrote:
On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote:
This adds managed read permissions to the compat tree.
For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.
I'm unsure if this is what we want to do for groups, but "Read Group
Membership" is only granted to authenticated users by default, and the
compat tree exposes memberuid.
The reason we restrict member is because it exposes also hbac, sudo and
other sensible groupings. memberuid does not have those groups in, so I
think it is safe (and necessary for legacy clients) to allow anonymous
to read it, just like for users.
In that case, I'd also add memberuid to 'Read Groups', to make it clear
what our default policy is.
Freeipa-devel mailing list