Adding freeipa-devel back.

On 01/14/2015 05:58 PM, Simo Sorce wrote:
On Wed, 14 Jan 2015 17:47:51 +0100
Martin Kosek <mko...@redhat.com> wrote:

-add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl
"Deny read access to replica configuration"; deny(read, search,
compare) userdn = "ldap:///anyone";;)'
+remove:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0;
acl "Deny read access to replica configuration"; deny(read, search,
compare) userdn = "ldap:///anyone";;)'

Why this removal ?

It is in the patch description. This container stores winsync "replicas". With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone.

My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD.

+dn: cn=config
+add:aci: '(version 3.0;acl "permission:Add Configuration
Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration
Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)'

Doesn't this allow REplication admin to add any object anywhere in
cn=config ?
This would be too broad.

It does. I wanted to narrow it with targetfilter '(targetfilter = "(cn=changelog5)")' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = "(objectclass=extensibleobject)")', it worked fine.

I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to