Re: [Freeipa-devel] [PATCHES] 0642-0643 Move granting read access to entryusn & timestamp entries to individual permissions

Fri, 12 Sep 2014 09:25:31 -0700 

On 09/12/2014 05:02 PM, Martin Kosek wrote:

On 09/12/2014 04:46 PM, Petr Viktorin wrote:

On 09/12/2014 04:25 PM, Martin Kosek wrote:

On 09/12/2014 01:53 PM, Petr Viktorin wrote:

https://fedorahosted.org/freeipa/ticket/4534

The entryusn and timestamp operational attributes are now
automatically added
to every read permission that targets objectclass, whether managed or
user-created.

The 'System: Read Timestamp and USN Operational Attributes', which was
added
for 4.0.2, is removed on upgrade.




This looks good to me. deref search now return expected results:

# ldapsearch -h `hostname` -Y GSSAPI -b
uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -E
'deref=memberof:objectclass,entryusn'
SASL/GSSAPI authentication started
SASL username: host/ipa.mkosek-fedora20.t...@mkosek-fedora20.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#

# admin, users, accounts, mkosek-fedora20.test
dn: uid=admin,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false ...
# memberof:
<objectclass=top>;<objectclass=groupofnames>;<objectclass=posixgr

oup>;<objectclass=ipausergroup>;<objectclass=ipaobject>;<objectclass=nestedG


roup>;<entryusn=16719>;cn=admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc

  =test

# memberof:
<objectclass=top>;<objectclass=ipaobject>;<objectclass=groupofnam

es>;<objectclass=ipausergroup>;<objectclass=nestedgroup>;<entryusn=375>;cn=t

  rust admins,cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test

objectClass: top
objectClass: person
...


I.e. only the memberof objects that the host has access to are
dereferenced. Updated permissions also look OK.

Thus ACK from me of there are no other objections.

What should we do about remaining Operational permission?

--------------------
1 permission matched
--------------------
   Permission name: System: Read Creator and Modifier Operational
Attributes
   Granted rights: read, compare, search
   Effective attributes: creatorsname, modifiersname
   Default attributes: modifiersname, creatorsname
   Bind rule type: all
   Subtree: dc=mkosek-fedora20,dc=test
   Extra target filter: (objectclass=*)
----------------------------
Number of entries returned 1
----------------------------
? Any host can still use deref to for example find creatorsname or
modifiersname of memberof entries.

I would personally rather delete the permission and keep the attributes
only for DM (and admin) or make it permission-based as SSSD does not use
it anyway, AFAIK.

Martin


This version removes 'System: Read Creator and Modifier Operational
Attributes'
as well.



Works fine. ACK.


Thanks! Pushed to:
ipa-4-0: f47da6a761a97134668cf674c78f5f9271c98e8b
ipa-4-1: a0e23ce210506be84716343982ef43099841177b
master: 4fac4f4cf65b54bc0b194928341b31e3c67d63a5


(You will need to regenerate ACI.txt for each merged branch as there are
conflicts).


(Yeah, whoever invented this ACI.txt thing, I need to have a talk with him)


--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to