On 01/14/2015 03:34 PM, Simo Sorce wrote: > On Wed, 14 Jan 2015 13:41:54 +0100 > thierry bordaz <tbor...@redhat.com> wrote: > >> On 01/14/2015 12:03 PM, Martin Kosek wrote: >>> On 01/14/2015 10:58 AM, thierry bordaz wrote: >>>> On 01/14/2015 10:15 AM, Petr Viktorin wrote: >>>>> On 01/13/2015 10:52 PM, Martin Kosek wrote: >>>>>> On 01/13/2015 09:55 PM, Simo Sorce wrote: >>>>>>> On Tue, 13 Jan 2015 18:16:11 +0100 >>>>>>> Martin Kosek <mko...@redhat.com> wrote: >>>>>>> >>>>>>>> This is crude first version of the (working) fixes to fix >>>>>>>> Winsync/Passsync problems caused by the PermissionV2 >>>>>>>> refactoring. >>>>>>>> >>>>>>>> Simo/Petr3 or others, any concerns? >>>>>>>> >>>>>>> The first patch looks good >>>>>>> the second looks .. broad ? >>>>>>> >>>>>>> Shouldn't you explicitly allow specific attributes ? >>>>>> You mean for: >>>>>> >>>>>> + 'System: Read LDBM database config': { >>>>>> + 'ipapermlocation': DN('cn=config'), >>>>>> + 'ipapermtarget': DN('cn=config,cn=ldbm >>>>>> database,cn=plugins,cn=config'), >>>>>> + 'ipapermbindruletype': 'permission', >>>>>> + 'ipapermright': {'read', 'search', 'compare'}, >>>>>> + 'default_privileges': {'Replication Administrators'}, >>>>>> + 'ipapermdefaultattr': {'*'}, >>>>>> + }, >>>>>> >>>>>> ? I did that as my first try, but then the ACI was not accepted >>>>>> as the attribute I was looking for (nsslapd-changelogdir) is not >>>>>> in the schema as the config is just an extensibleObject. But as >>>>>> I was going through the attributes, I did not see anything >>>>>> super-secret. >>>>>> >>>>>> Petr, is there any way to make permission plugin accept unknown >>>>>> attribute in the permission attribute list, or do we need to use >>>>>> "*" in this case? >>>>> The ACL Syntax Error comes straight from the DS, so there's not >>>>> much IPA can do. The error suggests adding nsslapd-changelogdir >>>>> to the schema, but I'm not sure that's the right solution here. >>>>> Thierry, any comments? See the attached LDIF. >>>>> >>>> Actually this limitation was added with the bug >>>> https://bugzilla.redhat.com/show_bug.cgi?id=244229. >>>> I do not see in the bug, if the ability to define non schema >>>> attribute was creating a problem for IPA >>> Not before, but with PermissionV2 and especially these patches, we >>> may need to control access to unknown attributes in >>> extensibleObject objects. >> One possibility is to revert that fix (with or without configuration >> toggle). But then in a topology with mixed versions of DS, old DS >> will skipped those aci. >> >> Using '*' char is not nice but will guaranty a same evaluation on all >> servers. > > We requested attribute validation when adding ACIs, w/o it it was very > simple to make typos, which would be fatal for DENY ACIs. > > The problem here is in using extensibleObject and not defining a > schema IMO. > > That said I am ok with the targetattr with appended asterisk to the > undefined attribute name. > > Simo.
After some thoughts, I agree with this path also. I will soon send the revised patches, with this and other improvements. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel