Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes

Wed, 14 Jan 2015 04:44:18 -0800 

On 01/14/2015 12:03 PM, Martin Kosek wrote:

On 01/14/2015 10:58 AM, thierry bordaz wrote:

On 01/14/2015 10:15 AM, Petr Viktorin wrote:

On 01/13/2015 10:52 PM, Martin Kosek wrote:

On 01/13/2015 09:55 PM, Simo Sorce wrote:

On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek <mko...@redhat.com> wrote:


This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.

Simo/Petr3 or others, any concerns?


The first patch looks good
the second looks .. broad ?

Shouldn't you explicitly allow specific attributes ?

You mean for:

+    'System: Read LDBM database config': {
+        'ipapermlocation': DN('cn=config'),
+        'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+        'ipapermbindruletype': 'permission',
+        'ipapermright': {'read', 'search', 'compare'},
+        'default_privileges': {'Replication Administrators'},
+        'ipapermdefaultattr': {'*'},
+    },

? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.

Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use "*" in
this case?

The ACL Syntax Error comes straight from the DS, so there's not much IPA can
do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
sure that's the right solution here.
Thierry, any comments? See the attached LDIF.


Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema attribute was
creating a problem for IPA

Not before, but with PermissionV2 and especially these patches, we may need to
control access to unknown attributes in extensibleObject objects.
One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all servers. 
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to