Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions

Fri, 12 Sep 2014 07:26:35 -0700 

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:
# ldapsearch -h `hostname` -Y GSSAPI -b uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E 'deref=memberof:objectclass,entryusn' 
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with scope subtree 
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof: <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
 oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
 roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
 =test

# memberof: <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
 es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
 rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...
I.e. only the memberof objects that the host has access to are dereferenced. Updated permissions also look OK. 

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?

--------------------
1 permission matched
--------------------
  Permission name: System: Read Creator and Modifier Operational Attributes
  Granted rights: read, compare, search
  Effective attributes: creatorsname, modifiersname
  Default attributes: modifiersname, creatorsname
  Bind rule type: all
  Subtree: dc=mkosek-fedora20,dc=test
  Extra target filter: (objectclass=*)
----------------------------
Number of entries returned 1
----------------------------
? Any host can still use deref to for example find creatorsname or modifiersname of memberof entries.
I would personally rather delete the permission and keep the attributes only for DM (and admin) or make it permission-based as SSSD does not use it anyway, AFAIK. 

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to