[Freeipa-users] Re: Help with permissions on new objects/attributes

Tue, 14 Nov 2023 02:41:29 -0800

On 14/11/2023 09.18, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: 
I am a bit confused here. What should be an appropriate default_privileges 
value so that a system account can read all the entries/attributes below 
cn=mailserver,cn=etc?


Who should be allowed to access the fields? All principals (users, services, 
hosts, sys accounts) or a limited subset of principals?


Any authenticated user. I have this system account 
cn=system,cn=sysaccounts,cn=etc that I use for reading only attributes, That 
entry do’esnt see any entry (besides postfixDomain object classes) under the 
tree we mention.



If any authenticated principal should be allowed to read the entries, 
then you do not need a named permission. The bind rule type "all" 
creates an ACI with target "ldap:///all"; (all authenticated users). 
Easier to maintain and faster to check.





Thank you Christian. Does it mean that the 
cn=postfixadmin,cn=mailserver,cn=etc,$SUFFIX  also needs an «only» statement?



Yes, you need to create the RDN attribute for all entries, either with "only" or 
"default".


Thanks! What’s the difference between only and default, since we’re here? :)


"default" is only taken into account when the entry does not exist.


"only" sets the attribute to a single value during creation and update. 
Incredible useful when the entry is buggy, e.g. you have a copy 'n paste 
issue.


--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,

Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael 
O'Neill

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue














    

  • [Freeipa-users] Help wit... Francis Augusto Medeiros-Logeay via FreeIPA-users
    • 

    • 

    • [Freeipa-users] Re:... Rob Crittenden via FreeIPA-users
      • 

      • 

      • [Freeipa-users]... Francis Augusto Medeiros-Logeay via FreeIPA-users
        • 

        • 

        • [Freeipa-us... Christian Heimes via FreeIPA-users
          • 

          • 

          • [Freeip... Francis Augusto Medeiros-Logeay via FreeIPA-users
            • 

            • 

            • [F... Christian Heimes via FreeIPA-users
              • 

              • 

              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • 

                • 

                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                  • 

                • ... Christian Heimes via FreeIPA-users
                  • 

                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                  • 

                

              

            

          

        

      

    










					Reply via email to