Martin Kosek wrote: > On 09/03/2014 09:02 AM, Martin Kosek wrote: >> In the meantime, you can use the workaround that Rob sent, you would just >> need >> to delete it again when the fix is in, so that the permissions do not step on >> each other. > > Actually, wait a minute. I think Rob's ACI example may be too wide, it may > expose any attribute in the compat tree, including a potential userPassword.
The ACI was on his custom cn=canlogin subtree, not all of cn=compat. > As I see, it seems that slapi-nis plugin do not fortunately expose that, but > it > is safer to just list the attributes that one wants to display (this is also > what we did in FreeIPA 4.0, no global wildcard allowing ACIs any more). > > I added a respective permission via Web UI (one part of it cannot be added via > CLI, see https://fedorahosted.org/freeipa/ticket/4522) and compat tree now > works for me. See attached example. > > Resulting permission shown in CLI: > > # ipa permission-show "TEMPORARY - Read compat tree" > Permission name: TEMPORARY - Read compat tree > Granted rights: read, search, compare > Effective attributes: cn, description, gecos, gidnumber, homedirectory, > loginshell, memberuid, > objectclass, uid, uidnumber > Bind rule type: all > Subtree: dc=mkosek-fedora20,dc=test > ACI target DN: cn=compat,dc=mkosek-fedora20,dc=test > > It is much easier to manipulate than ACI added via ldapmodify. I see you filed a bug on the missing CLI option. That's why I did the ACI, because I couldn't demonstrate how to add this ACI on the CLI. I hadn't gotten around to doing that last night. rob > > HTH, > Martin > >> >> Martin >> >> On 09/02/2014 11:09 PM, Rob Crittenden wrote: >>> Chris Whittle wrote: >>>> If I do this >>>> >>>> ldapsearch -LLL -H ldaps://DOMAIN:636 -x -D >>>> "uid=mac_slave,cn=users,cn=accounts,dc=domain,dc=com" -w 'nachopassword' >>>> -b "uid=awesomeuser,cn=users,cn=accounts,dc=domain,dc=com" >>>> >>>> It works fine >>> >>> AFAICT there currently isn't a permission for the compat tree. The admin >>> user can do it via 'Admin can manage any entry" and of course DM can do >>> it because it can do anything. >>> >>> A temporary workaround would be to add an aci manually: >>> >>> dn: dc=example,dc=com >>> changetype: modify >>> add: aci >>> aci: (targetattr = "*")(target = >>> "ldap:///uid=*,cn=canlogin,cn=compat,dc=example,dc=com")(version 3.0;acl >>> "Read canlogin compat tree";allow (compare,read,search) userdn = >>> "ldap:///all";) >>> >>> This won't show up as a permission and will grant all authenticated >>> users read access to the canlogin compat tree. I'm assuming here this >>> contains entries keyed on uid. >>> >>> rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project