On 09/12/2014 01:53 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/4534
The entryusn and timestamp operational attributes are now
automatically added
to every read permission that targets objectclass, whether managed or
user-created.
The 'System: Read Timestamp and USN Operational Attributes', which was
added
for 4.0.2, is removed on upgrade.
This looks good to me. deref search now return expected results:
# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#
# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof:
<objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr
oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG
roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc
=test
# memberof:
<objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam
es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t
rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
objectClass: top
objectClass: person
...
I.e. only the memberof objects that the host has access to are
dereferenced. Updated permissions also look OK.
Thus ACK from me of there are no other objections.
What should we do about remaining Operational permission?
--------------------
1 permission matched
--------------------
Permission name: System: Read Creator and Modifier Operational
Attributes
Granted rights: read, compare, search
Effective attributes: creatorsname, modifiersname
Default attributes: modifiersname, creatorsname
Bind rule type: all
Subtree: dc=mkosek-fedora20,dc=test
Extra target filter: (objectclass=*)
----------------------------
Number of entries returned 1
----------------------------
? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.
I would personally rather delete the permission and keep the attributes
only for DM (and admin) or make it permission-based as SSSD does not use
it anyway, AFAIK.
Martin