On Fri, 05 Sep 2014, Martin Kosek wrote:
On 09/04/2014 04:44 PM, Ludwig Krispenz wrote:


On 09/04/2014 04:38 PM, Martin Kosek wrote:
On 09/04/2014 04:10 PM, Alexander Bokovoy wrote:
...
createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates
Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.

Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?
They are standard features of LDAP servers. RFC 4512 states:
=============================================================================
3.4 Operational attributes
...
Servers SHOULD maintain the 'creatorsName', 'createTimestamp',
'modifiersName', and 'modifyTimestamp' attributes for all entries of the
DIT.
=============================================================================

This is, again, a question of policy. Active Directory forbids anonymous
access to the tree; so they always expose these attributes to
authenticated users only. If we allow anonymous access, we should allow
these attributes too.
Well, DS *does* maintain the attributes - question is whether we want to show
them to anonymous/authenticated people or just the DM :)
if you want to show them depends if it is useful or sensitive.
I don't know why an anonymous user would need access to them.
Are they sensitive ? Well, at least they expose a DN which has rights to
create and modify entries and could be used trying to get more access

Alexander, should we then show just
+            'createtimestamp', 'modifytimestamp', 'entryusn',
to authenticated users? I do not think that modifiers/creatorsDN is something
that anonymous user need to see by default.
createtimestamp, modifytimestamp, and entryusn are all needed for sssd
LDAP provider. Not allowing them for anonymous will make legacy SSSD
performance suboptimal.

modifier/creator DNs can be given out only to authenticated users.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to