On 09/04/2014 04:44 PM, Ludwig Krispenz wrote:
> On 09/04/2014 04:38 PM, Martin Kosek wrote:
>> On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
>> ...
>>>>> createTimestamp is operational attribute and is synthesized by
>>>>> slapi-nis, there is no problem allowing access to it. I think we can
>>>>> allow following operational attributes:
>>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
>>>>> entryDN, hasSubordinates, numSubordinates
>>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example
>>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be 
>>>> allowed
>>>> for whole FreeIPA DIT. So this change is not so related to these patches.
>>>> Do we also want to expose attributes like creatorsName/modifiersName? Do we
>>>> consider that a public information or juts audit-like information for DM 
>>>> only?
>>> They are standard features of LDAP servers. RFC 4512 states:
>>> =============================================================================
>>> 3.4 Operational attributes
>>> ...
>>> Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
>>> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the
>>> DIT.
>>> =============================================================================
>>> This is, again, a question of policy. Active Directory forbids anonymous
>>> access to the tree; so they always expose these attributes to
>>> authenticated users only. If we allow anonymous access, we should allow
>>> these attributes too.
>> Well, DS *does* maintain the attributes - question is whether we want to show
>> them to anonymous/authenticated people or just the DM :)
> if you want to show them depends if it is useful or sensitive.
> I don't know why an anonymous user would need access to them.
> Are they sensitive ? Well, at least they expose a DN which has rights to
> create and modify entries and could be used trying to get more access

Alexander, should we then show just
+            'createtimestamp', 'modifytimestamp', 'entryusn',
to authenticated users? I do not think that modifiers/creatorsDN is something
that anonymous user need to see by default.

Admin can allow it if he wants, but IMO it should not be the default.


Freeipa-devel mailing list

Reply via email to