[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.
Hi Rob Thanks for helping out here. I was pulled sideways and I am returning to this issue now. I am sorry. Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability" Is there a way and a need to update Apache Tomcat from within FreeIPA? If so, is this upgrade done via FreeIPA update as in. update FreeIPA using.. ipa-ldap-updater --upgrade ipa-upgradeconfig .. or Tomcat is upgradable in separate? Please advise. Many thanks in advance. Marcelo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
Finn Fysj via FreeIPA-users wrote: >> Finn Fysj via FreeIPA-users wrote: >> >> Seems unlikely that anonymous ACI's would prevent HBAC from working. >> Especially ACIs that don't apply to the bound dn. >> >> These ACIs also apply very broadly across the server. For example, the >> user and group ACIs overlap with memberof. You probably want to use a >> different subtree, say the user container for the first and last, and >> the group container for that one. >> >> rob > Thank you for your resposne, Rob. > > I manage to solve this before reading your comment, however, could you please > explain to me why it didn't work and why it works now? > > Looking this through the eyes of the UI: > The old solution was using the "Subtree" field with: Subtree: > dc=example,dc=com. This was replaced with the use of "Type: User" with > attribute: "memerof", and "Type: Group" with attributes: member and memberof > for the anonymous group permission. > > How can this small thing makes such huge difference? (this is very new to me) It has to do with where ACIs live in the tree. If all ACIs live in the basedn then for every single operation, all ACIs will be evaluated. This is slow. We try to locate ACIs within the "container" for each object instead of globally (e.g. cn=users,cn=accounts). This applies the user-specific ACIs only when user objects are managed. I don't know about old and new with subtree and type. From what I remember this has always been available on the cli from my initial implementation. The type (user,group,host,etc) is shorthand for where the ACI will be placed so that user's don't need to understand the tree layout. Subtree is a more manual approach to this to provide flexibility. As I said, I can't believe that a global aci granting access to member/memberof would affect HBAC evaluation. HBAC doesn't bind as anonymous so these shouldn't even apply. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA server + Replica - HBAC rules not matching
> Finn Fysj via FreeIPA-users wrote: > > Seems unlikely that anonymous ACI's would prevent HBAC from working. > Especially ACIs that don't apply to the bound dn. > > These ACIs also apply very broadly across the server. For example, the > user and group ACIs overlap with memberof. You probably want to use a > different subtree, say the user container for the first and last, and > the group container for that one. > > rob Thank you for your resposne, Rob. I manage to solve this before reading your comment, however, could you please explain to me why it didn't work and why it works now? Looking this through the eyes of the UI: The old solution was using the "Subtree" field with: Subtree: dc=example,dc=com. This was replaced with the use of "Type: User" with attribute: "memerof", and "Type: Group" with attributes: member and memberof for the anonymous group permission. How can this small thing makes such huge difference? (this is very new to me) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue