On 10/09/2014 06:40 PM, Nathaniel McCallum wrote:
On Thu, 2014-10-09 at 18:32 +0200, thierry bordaz wrote:
On 10/09/2014 06:27 PM, Nathaniel McCallum wrote:
On Thu, 2014-10-09 at 14:11 +0200, thierry bordaz wrote:
On 10/08/2014 11:46 PM, Nathaniel McCallum wrote:
The background of this email is this bug:
https://fedorahosted.org/freeipa/ticket/4456
Attached are two patches which solve this issue for admin users (not
very helpful, I know). They depend on this fix in 389:
https://fedorahosted.org/389/ticket/47920
There are two outstanding issues:
1. 389 does not send the post read control for normal users. The
operation itself succeeds, but no control is sent.
The relevant sections from the log are attached. 389 is denying access
to the following attributes (* = valid, ! = invalid):
! objectClass
! ipatokenOTPalgorithm
! ipatokenOTPdigits
* ipatokenOTPkey
* ipatokenHOTPcounter
! ipatokenOwner
! managedBy
! ipatokenUniqueID
Hello Nathaniel,
The post read control needs access to the modified entry to
return it.
This access is granted at the condition, the binddn can access
attributes.
Agreed and understood.
My understanding is that the target entry is
ipatokenuniqueid=52001946-4f2d-11e4-9127-7831c1d63a78,cn=otp,dc=example,dc=com
and the binddn "uid=otp,cn=users,cn=accounts,dc=example,dc=com".
Correct.
The only ACI I found that match this target is:
aci: (targetfilter = "(objectClass=ipaToken)")
(targetattrs = "objectclass || description || managedBy ||
ipatokenUniqueID || ipatokenDisabled
|| ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor ||
ipatokenModel || ipatokenSerial || ipatokenOwner")
(version 3.0; acl "Users/managers can read basic token info"; allow (read, search,
compare) userattr = "ipatokenOwner#USERDN" or userattr = "managedBy#USERDN";)
Correct.
Do you know if the target entry has 'ipatokenOwner' or
'managedBy' with the binddn value ?
Yes, both. So why is access to objectClass (et cetera) being denied?
Good question... I will try to reproduce
Thanks!
Hello,
I tried to reproduce and it seems to work on *master*.
I am using the attached ldif file.
The test case is to bind as "cn=active
guy,cn=accounts,dc=example,dc=com" and to do a modify on "cn=active
otp,cn=otp,dc=example,dc=com".
The modify updates the 'description' attribute and do a postread
(description, cn).
The write 'description' is allowed by :
dn: cn=otp,dc=example,dc=com
aci: (targetfilter =
"(objectclass=organizationalPerson)")(target = "ldap:///c
n=*,cn=otp,dc=example,dc=com")(targetattr = "objectclass ||
description || se
eAlso")(version 3.0; acl "Active user modify otp entry"; allow
(write) userdn
= "ldap:///cn=active guy,cn=accounts,dc=example,dc=com";)
[09/Oct/2014:22:07:56 +0200] NSACLPlugin - 1. Evaluating ALLOW
aci(19) " "Active user modify otp entry""
[09/Oct/2014:22:07:56 +0200] NSACLPlugin - conn=2 op=16 (main):
Allow write on entry(cn=active
otp,cn=otp,dc=example,dc=com).attr(description) to cn=active
guy,cn=accounts,dc=example,dc=com: allowed by aci(19): aciname=
"Active user modify otp entry", acidn="cn=otp,dc=example,dc=com"
The postread is allowed by:
dn: cn=otp,dc=example,dc=com
aci: (targetfilter = "(objectclass=organizationalPerson)")
(targetattr = "obje
ctclass || description || seeAlso || cn")(version 3.0; acl
"Active user can r
ead his entries"; allow (read, search, compare) userattr =
"seeAlso#USERDN";)
[09/Oct/2014:22:07:58 +0200] NSACLPlugin - 1. Evaluating ALLOW
aci(21) " "Active user can read his entries""
[09/Oct/2014:22:07:58 +0200] NSACLPlugin - Found READ ALLOW in cache
[09/Oct/2014:22:07:58 +0200] NSACLPlugin - conn=2 op=16 (main):
Allow read on entry(cn=active
otp,cn=otp,dc=example,dc=com).attr(cn) to cn=active
guy,cn=accounts,dc=example,dc=com: cached allow by aci(21)
The postread works if I use USERDN or SELFDN.
Please let me know the version of 389-ds that you are testing, I
will try on that branch
thanks
thierry
The ACIs allowing access to most of these attributes are here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90
Note that I am able to query the entry just fine (including all the
above invalidly restricted attributes). Hence, I know the ACIs are
working just fine.
Part of the strange thing is that in the post read control request, I
haven't indicated that I want *any* attributes returned (i.e. I want
just the DN). So I'm not sure why it is querying all the attributes. I
would suspect that the proper behavior would be to only check the ACIs
on attributes that will actually be returned.
It may not querying all attributes, but just search the first
one it can read.
As it finds none of them you get the message for all
attributes.
Right, but why iterate through all possible attributes? It should only
iterate through the attributes requested. Whether the user can read a
non-requested attribute or not is irrelevant because the attribute was
not requested.
I think it is iterating from the attributes in the entry. Searching the
first one that the authenticated subject is allowed to read.
I agree. The question is: why?
Nathaniel
version: 1
# entry-id: 1
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
aci: (targetattr="carLicense || description || displayName || facsimileTelepho
neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele
dURI || mail || mobile || pager || photo || postOfficeBox || postalAddress ||
postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr
ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber
|| telexNumber || title || userCertificate || userPassword || userSMIMECertif
icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo
n attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com");)
nsUniqueId: 256b7580-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName: cn=directory manager
createTimestamp: 20140919130911Z
modifyTimestamp: 20141009200413Z
# entry-id: 2
dn: cn=Directory Administrators,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
nsUniqueId: 256b7581-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 3
dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
nsUniqueId: 256b7582-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 4
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber
")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ld
ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version
3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "lda
p:///cn=Accounting Managers,ou=groups,dc=example,dc=com");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(ve
rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR M
anagers,ou=groups,dc=example,dc=com");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(ver
sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Ma
nagers,ou=groups,dc=example,dc=com");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)"
)(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ld
ap:///cn=PD Managers,ou=groups,dc=example,dc=com");)
nsUniqueId: 256b7583-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 5
dn: ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
nsUniqueId: 256b7584-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 6
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
nsUniqueId: 256b7585-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 7
dn: cn=HR Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
nsUniqueId: 256b7586-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 8
dn: cn=QA Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
nsUniqueId: 256b7587-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 9
dn: cn=PD Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
nsUniqueId: 256b7588-3ffe11e4-9c93c9dd-6d313157
creatorsName:
modifiersName:
createTimestamp: 20140919130911Z
modifyTimestamp: 20140919130911Z
# entry-id: 10
dn: cn=accounts,dc=example,dc=com
objectClass: top
objectClass: nscontainer
cn: accounts
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141009200413Z
modifyTimestamp: 20141009200413Z
nsUniqueId: 69dfa582-4fef11e4-a2f3db6b-a9db56cd
# entry-id: 11
dn: cn=otp,dc=example,dc=com
objectClass: top
objectClass: nscontainer
cn: otp
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141009200413Z
modifyTimestamp: 20141009200413Z
nsUniqueId: 69dfa583-4fef11e4-a2f3db6b-a9db56cd
aci: (targetfilter = "(objectclass=organizationalPerson)")(target = "ldap:///c
n=*,cn=otp,dc=example,dc=com")(targetattr = "objectclass || description || se
eAlso")(version 3.0; acl "Active user modify otp entry"; allow (write) userdn
= "ldap:///cn=active guy,cn=accounts,dc=example,dc=com";)
aci: (targetfilter = "(objectclass=organizationalPerson)") (targetattr = "obje
ctclass || description || seeAlso || cn")(version 3.0; acl "Active user can r
ead his entries"; allow (read, search, compare) userattr = "seeAlso#USERDN";)
# entry-id: 12
dn: cn=active guy,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetuser
cn: active guy
description: final description
sn: active guy
userPassword:: e1NTSEF9bzFKNE1OVEl1TWJKUURGZUJsOGdTcis0Uk50THBURmg1eWxsR2c9PQ=
=
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141009200413Z
modifyTimestamp: 20141009200413Z
nsUniqueId: 69dfa584-4fef11e4-a2f3db6b-a9db56cd
# entry-id: 13
dn: cn=active otp,cn=otp,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
sn: active otp
cn: active otp
description: final description
seeAlso: cn=active guy,cn=accounts,dc=example,dc=com
creatorsName: cn=directory manager
modifiersName: cn=active guy,cn=accounts,dc=example,dc=com
createTimestamp: 20141009200413Z
modifyTimestamp: 20141009200413Z
nsUniqueId: 69dfa585-4fef11e4-a2f3db6b-a9db56cd
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel