On 09/12/2014 01:53 PM, Petr Viktorin wrote:

The entryusn and timestamp operational attributes are now automatically added
to every read permission that targets objectclass, whether managed or

The 'System: Read Timestamp and USN Operational Attributes', which was added
for 4.0.2, is removed on upgrade.

This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E 'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: false ...
# memberof: <objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr

# memberof: <objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
 rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person

I.e. only the memberof objects that the host has access to are dereferenced. Updated permissions also look OK.

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?

1 permission matched
  Permission name: System: Read Creator and Modifier Operational Attributes
  Granted rights: read, compare, search
  Effective attributes: creatorsname, modifiersname
  Default attributes: modifiersname, creatorsname
  Bind rule type: all
  Subtree: dc=mkosek-fedora20,dc=test
  Extra target filter: (objectclass=*)
Number of entries returned 1
? Any host can still use deref to for example find creatorsname or modifiersname of memberof entries.

I would personally rather delete the permission and keep the attributes only for DM (and admin) or make it permission-based as SSSD does not use it anyway, AFAIK.


Freeipa-devel mailing list

Reply via email to