Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Fri, 05 Sep 2014 04:18:07 -0700 

On 09/05/2014 09:18 AM, Martin Kosek wrote:

On 09/05/2014 09:03 AM, Alexander Bokovoy wrote:

On Fri, 05 Sep 2014, Alexander Bokovoy wrote:

On Thu, 04 Sep 2014, Martin Kosek wrote:

On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:

On Wed, 03 Sep 2014, Martin Kosek wrote:

On 09/03/2014 03:15 PM, Petr Viktorin wrote:

On 09/03/2014 02:27 PM, Petr Viktorin wrote:

On 09/03/2014 01:27 PM, Petr Viktorin wrote:

Hello,
This adds managed read permissions to the compat tree.

For users it grants anonymous access; authenticated users can read
groups, hosts and netgroups.

I'm unsure if this is what we want to do for groups, but "Read Group
Membership" is only granted to authenticated users by default, and the
compat tree exposes memberuid.

https://fedorahosted.org/freeipa/ticket/4521


Self-NACK, there's a typo (though I could swear I tested this :/)




Fixed patch attached.



I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
see if there are no reservations from Alexander or Rob.

I think we need a bit more fixes. Here is ACL log for an anonymous
request:

[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
"cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no
aci matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous: no aci matched the subject by aci(27): aciname=
"permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
matched the subject by aci(27): aciname="permission:System: Read DNS
Configuration", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
by aci(38): aciname= "permission:System: Read User
Compat Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow
search on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
to anonymous: no aci matched the subject by aci(18): aciname= "Admin can
manage
any entry", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
Tree", acidn="dc=ipacloud,dc=test"
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
anonymous: cached allow by aci(38)
[04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to
anonymous:
cached allow by aci(38)

createTimestamp is operational attribute and is synthesized by
slapi-nis, there is no problem allowing access to it. I think we can
allow following operational attributes:

createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
entryDN, hasSubordinates, numSubordinates


Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.

Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?


Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
run ipa-adtrust-install on this machine yet.


I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?



The same set should be allowed for primary tree.



IMO this should be just one global permission/ACI, set for DIT root.


I experimented a bit, by setting SSSD with a simple LDAP provider
talking to a compat tree (with views enabled, but that doesn't change
anything) and I think we need to move to ipabindpermruletype=anonymous
or otherwise such setup will not work at all. Attached is my take at it
on top of Petr's patchset.

You can ignore views-related ACIs for time being.

Scratch that, it was older version with duplicate entries.

Proper one is attached.



Thanks! Looks sane to me. We would just need to remove Views related ACIs for
the 4.0.x version that we will need for today.


Thanks indeed!
Here is the patched patch. The Read Operational Attributes permission is split for createtimestamp/modifytimestamp/entryusn (anonymous) and creatorsname/modifiersname (authenticated).
Only admins can read the cn=compat entry itself. I don't think that's an issue though. 

--
PetrĀ³


From 4735fa33d895611c7dfacf23ef36583b90b34b99 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 3 Sep 2014 10:54:50 +0200
Subject: [PATCH] Add managed read permissions for compat tree and operational
 attrs

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
---
 ACI.txt                                                | 14 +++++++++++++-
 ipalib/plugins/group.py                                | 10 ++++++++++
 ipalib/plugins/host.py                                 | 10 ++++++++++
 ipalib/plugins/netgroup.py                             | 10 ++++++++++
 ipalib/plugins/sudorule.py                             |  2 +-
 ipalib/plugins/user.py                                 | 11 +++++++++++
 .../install/plugins/update_managed_permissions.py      | 18 ++++++++++++++++++
 7 files changed, 73 insertions(+), 2 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 6e286d8e445a757284daec30ca2ee5cc450b0db2..2a3f582765b1ff1de9669f187adb9a57b19f938f 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -50,6 +50,8 @@ dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || gidnumber || memberuid || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -96,6 +98,8 @@ dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || macaddress || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
@@ -126,6 +130,8 @@ dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "externalhost || member || memberhost || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "description")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Modify Netgroups";allow (write) groupdn = "ldap:///cn=System: Modify Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || membernisnetgroup || nisnetgrouptriple || objectclass")(target = "ldap:///cn=ng,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Netgroup Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "externalhost || member || memberhost || memberof || memberuser || objectclass")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
@@ -213,7 +219,7 @@ aci: (targetattr = "cmdcategory || description || externalhost || externaluser |
 dn: cn=sudorules,cn=sudo,dc=ipa,dc=example
 aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasextusergroup || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || member || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: dc=ipa,dc=example
-aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";;)
+aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=trusts,dc=ipa,dc=example
@@ -232,6 +238,8 @@ dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || gecos || gidnumber || homedirectory || loginshell || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -252,6 +260,8 @@ dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || crosscertificatepair || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";;)
 dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: dc=ipa,dc=example
+aci: (targetattr = "creatorsname || modifiersname")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Creator and Modifier Operational Attributes";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
@@ -260,3 +270,5 @@ dn: cn=config
 aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";;)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || modifytimestamp")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Timestamp and USN Operational Attributes";allow (compare,read,search) userdn = "ldap:///anyone";;)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 69740dfe1269ffac3bbd60fbe387dd2191518cf8..8d2e69f062ec9bcf2de2af77efc2aec2cc8b51ca 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -202,6 +202,16 @@ class group(LDAPObject):
             ],
             'default_privileges': {'Group Administrators'},
         },
+        'System: Read Group Compat Tree': {
+            'non_object': True,
+            'ipapermbindruletype': 'anonymous',
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=groups', 'cn=compat', api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'memberuid', 'gidnumber',
+            },
+        },
     }
 
     label = _('User Groups')
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index ee858ad273c86404c2a9e7ad90500f4477e052e1..3f5e4e7c848a47df308d3b39fbf0228924fc3c42 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -368,6 +368,16 @@ class host(LDAPObject):
             'ipapermdefaultattr': {'userpassword'},
             'default_privileges': {'Host Administrators', 'Host Enrollment'},
         },
+        'System: Read Host Compat Tree': {
+            'non_object': True,
+            'ipapermbindruletype': 'anonymous',
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=computers', 'cn=compat', api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'macaddress',
+            },
+        },
     }
 
     label = _('Hosts')
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index a7cad1dcb80e77f87f70fb12c0344f185d02cdb4..da2808f5acc2499b56aead94005fdea92bca7b00 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -160,6 +160,16 @@ class netgroup(LDAPObject):
             ],
             'default_privileges': {'Netgroups Administrators'},
         },
+        'System: Read Netgroup Compat Tree': {
+            'non_object': True,
+            'ipapermbindruletype': 'anonymous',
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=ng', 'cn=compat', api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'membernisnetgroup', 'nisnetgrouptriple',
+            },
+        },
     }
 
     label = _('Netgroups')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index d2d30a148f80c337b701b9697cb5078daba5be6f..f16d275b294634e3e2b7329ffe6f4f7804fd3cf2 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -166,7 +166,7 @@ class sudorule(LDAPObject):
             'non_object': True,
             'ipapermlocation': api.env.basedn,
             'ipapermtarget': DN('ou=sudoers', api.env.basedn),
-            'ipapermbindruletype': 'all',
+            'ipapermbindruletype': 'anonymous',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'objectclass', 'cn', 'ou',
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 454d219725cbb2803ea4f5ead3ba76672f3fd02f..f95b4fd4a9bc3f478f6fd523bf242002a5b6649f 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -424,6 +424,17 @@ class user(LDAPObject):
             ],
             'default_privileges': {'User Administrators'},
         },
+        'System: Read User Compat Tree': {
+            'non_object': True,
+            'ipapermbindruletype': 'anonymous',
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('cn=users', 'cn=compat', api.env.basedn),
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'uid', 'cn', 'gecos', 'gidnumber', 'uidnumber',
+                'homedirectory', 'loginshell',
+            },
+        },
     }
 
     label = _('Users')
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 8c83b1ccca5520327e5c8abc9b9a8355a7fd8cd6..e02fb64f242795fdf281c51e214583cec729992c 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -96,6 +96,24 @@
 register = Registry()
 
 NONOBJECT_PERMISSIONS = {
+    'System: Read Timestamp and USN Operational Attributes': {
+        'ipapermlocation': api.env.basedn,
+        'ipapermtargetfilter': {'(objectclass=*)'},
+        'ipapermbindruletype': 'anonymous',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'createtimestamp', 'modifytimestamp', 'entryusn',
+        },
+    },
+    'System: Read Creator and Modifier Operational Attributes': {
+        'ipapermlocation': api.env.basedn,
+        'ipapermtargetfilter': {'(objectclass=*)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'creatorsname', 'modifiersname',
+        },
+    },
     'System: Read IPA Masters': {
         'replaces_global_anonymous_aci': True,
         'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
-- 
1.9.3


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to