On 3.10.2014 16:46, Simo Sorce wrote:

I did not do any ACI work in the patch yet. I assume that we would like
to add the attr into  'System: Read Host|Service' permission. But I
think that write right should have it's own permission.

I have added 2 new permissions. Simo, are they OK?

for services:
'System: Manage Service Keytab Permissions': {
      'ipapermright': {'read', 'search', 'compare', 'write'},
      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
      'default_privileges': {'Service Administrators', 'Host

for hosts:
'System: Manage Host Keytab Permissions': {
      'ipapermright': {'read', 'search', 'compare', 'write'},
      'ipapermdefaultattr': {'ipaallowedtoperform', 'objectclass'},
      'default_privileges': {'Host Administrators'},

I'm not sure about the write right for 'objectclass' but it's required
in order to add 'ipaallowedoperations' oc.

As long as it allows only to add/remove the specific value it should be fine.

Can you please send the raw ACIs ?
I still find it difficult to reason on the security of the result withouth
looking at the lower level.

in cn=computers,cn=accounts,dc=example,dc=com:

(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)

in cn=services,cn=accounts,dc=idm,dc=example,dc=com:

(targetattr = "createtimestamp || entryusn || ipaallowedtoperform || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Service Keytab Permissions,cn=permissions,cn=pbac,dc=example,dc=com";)


Petr Vobornik

Freeipa-devel mailing list

Reply via email to