On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: > > On 09/04/2014 04:38 PM, Martin Kosek wrote: >> On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: >> ... >>>>> createTimestamp is operational attribute and is synthesized by >>>>> slapi-nis, there is no problem allowing access to it. I think we can >>>>> allow following operational attributes: >>>>> >>>>> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName, >>>>> entryDN, hasSubordinates, numSubordinates >>>> Ah, ok, probably yes. At least for some of them - CCing Simo. For example >>>> entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be >>>> allowed >>>> for whole FreeIPA DIT. So this change is not so related to these patches. >>>> >>>> Do we also want to expose attributes like creatorsName/modifiersName? Do we >>>> consider that a public information or juts audit-like information for DM >>>> only? >>> They are standard features of LDAP servers. RFC 4512 states: >>> ============================================================================= >>> 3.4 Operational attributes >>> ... >>> Servers SHOULD maintain the 'creatorsName', 'createTimestamp', >>> 'modifiersName', and 'modifyTimestamp' attributes for all entries of the >>> DIT. >>> ============================================================================= >>> >>> This is, again, a question of policy. Active Directory forbids anonymous >>> access to the tree; so they always expose these attributes to >>> authenticated users only. If we allow anonymous access, we should allow >>> these attributes too. >> Well, DS *does* maintain the attributes - question is whether we want to show >> them to anonymous/authenticated people or just the DM :) > if you want to show them depends if it is useful or sensitive. > I don't know why an anonymous user would need access to them. > Are they sensitive ? Well, at least they expose a DN which has rights to > create and modify entries and could be used trying to get more access
Alexander, should we then show just + 'createtimestamp', 'modifytimestamp', 'entryusn', to authenticated users? I do not think that modifiers/creatorsDN is something that anonymous user need to see by default. Admin can allow it if he wants, but IMO it should not be the default. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
