On 01/14/2015 03:34 PM, Simo Sorce wrote:
> On Wed, 14 Jan 2015 13:41:54 +0100
> thierry bordaz <tbor...@redhat.com> wrote:
>
>> On 01/14/2015 12:03 PM, Martin Kosek wrote:
>>> On 01/14/2015 10:58 AM, thierry bordaz wrote:
>>>> On 01/14/2015 10:15 AM, Petr Viktorin wrote:
>>>>> On 01/13/2015 10:52 PM, Martin Kosek wrote:
>>>>>> On 01/13/2015 09:55 PM, Simo Sorce wrote:
>>>>>>> On Tue, 13 Jan 2015 18:16:11 +0100
>>>>>>> Martin Kosek <mko...@redhat.com> wrote:
>>>>>>>
>>>>>>>> This is crude first version of the (working) fixes to fix
>>>>>>>> Winsync/Passsync problems caused by the PermissionV2
>>>>>>>> refactoring.
>>>>>>>>
>>>>>>>> Simo/Petr3 or others, any concerns?
>>>>>>>>
>>>>>>> The first patch looks good
>>>>>>> the second looks .. broad ?
>>>>>>>
>>>>>>> Shouldn't you explicitly allow specific attributes ?
>>>>>> You mean for:
>>>>>>
>>>>>> + 'System: Read LDBM database config': {
>>>>>> + 'ipapermlocation': DN('cn=config'),
>>>>>> + 'ipapermtarget': DN('cn=config,cn=ldbm
>>>>>> database,cn=plugins,cn=config'),
>>>>>> + 'ipapermbindruletype': 'permission',
>>>>>> + 'ipapermright': {'read', 'search', 'compare'},
>>>>>> + 'default_privileges': {'Replication Administrators'},
>>>>>> + 'ipapermdefaultattr': {'*'},
>>>>>> + },
>>>>>>
>>>>>> ? I did that as my first try, but then the ACI was not accepted
>>>>>> as the attribute I was looking for (nsslapd-changelogdir) is not
>>>>>> in the schema as the config is just an extensibleObject. But as
>>>>>> I was going through the attributes, I did not see anything
>>>>>> super-secret.
>>>>>>
>>>>>> Petr, is there any way to make permission plugin accept unknown
>>>>>> attribute in the permission attribute list, or do we need to use
>>>>>> "*" in this case?
>>>>> The ACL Syntax Error comes straight from the DS, so there's not
>>>>> much IPA can do. The error suggests adding nsslapd-changelogdir
>>>>> to the schema, but I'm not sure that's the right solution here.
>>>>> Thierry, any comments? See the attached LDIF.
>>>>>
>>>> Actually this limitation was added with the bug
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=244229.
>>>> I do not see in the bug, if the ability to define non schema
>>>> attribute was creating a problem for IPA
>>> Not before, but with PermissionV2 and especially these patches, we
>>> may need to control access to unknown attributes in
>>> extensibleObject objects.
>> One possibility is to revert that fix (with or without configuration
>> toggle). But then in a topology with mixed versions of DS, old DS
>> will skipped those aci.
>>
>> Using '*' char is not nice but will guaranty a same evaluation on all
>> servers.
>
> We requested attribute validation when adding ACIs, w/o it it was very
> simple to make typos, which would be fatal for DENY ACIs.
>
> The problem here is in using extensibleObject and not defining a
> schema IMO.
>
> That said I am ok with the targetattr with appended asterisk to the
> undefined attribute name.
>
> Simo.
After some thoughts, I agree with this path also. I will soon send the revised
patches, with this and other improvements.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
