Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/19/2015 01:20 PM, David Kupka wrote: Hi! This works for me. If all concerns regarding PermissionV2 and ACIs in general are resolved we can push. Both patches were pushed by mkosek on 2015-01-19: master: 6652c4eb2ebece71b6d60001246bd0fee5909099 Allow PassSync user to locate and update NT users ipa-4-1: 282d1ec2f9346c4a38b9867cff2ecf9151c0a794 Allow PassSync user to locate and update NT users master: 1537ac8138bf4371ae38147e8979904c756b3800 Allow Replication Administrators manipulate Winsync Agreements ipa-4-1: 794c9e6c31c4db2ae5c5869dbf782fab84eafd9f Allow Replication Administrators manipulate Winsync Agreements -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:27 PM, Martin Kosek wrote: Adding freeipa-devel back. On 01/14/2015 05:58 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 17:47:51 +0100 Martin Kosek mko...@redhat.com wrote: -add:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' +remove:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' Why this removal ? It is in the patch description. This container stores winsync replicas. With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone. My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD. +dn: cn=config +add:aci: '(version 3.0;acl permission:Add Configuration Sub-Entries;allow (add) groupdn = ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX;)' Doesn't this allow REplication admin to add any object anywhere in cn=config ? This would be too broad. It does. I wanted to narrow it with targetfilter '(targetfilter = (cn=changelog5))' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = (objectclass=extensibleobject))', it worked fine. I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! This works for me. If all concerns regarding PermissionV2 and ACIs in general are resolved we can push. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Adding freeipa-devel back. On 01/14/2015 05:58 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 17:47:51 +0100 Martin Kosek mko...@redhat.com wrote: -add:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' +remove:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' Why this removal ? It is in the patch description. This container stores winsync replicas. With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone. My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD. +dn: cn=config +add:aci: '(version 3.0;acl permission:Add Configuration Sub-Entries;allow (add) groupdn = ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX;)' Doesn't this allow REplication admin to add any object anywhere in cn=config ? This would be too broad. It does. I wanted to narrow it with targetfilter '(targetfilter = (cn=changelog5))' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = (objectclass=extensibleobject))', it worked fine. I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Wed, 14 Jan 2015 13:41:54 +0100 thierry bordaz tbor...@redhat.com wrote: On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. We requested attribute validation when adding ACIs, w/o it it was very simple to make typos, which would be fatal for DENY ACIs. The problem here is in using extensibleObject and not defining a schema IMO. That said I am ok with the targetattr with appended asterisk to the undefined attribute name. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:34 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 13:41:54 +0100 thierry bordaz tbor...@redhat.com wrote: On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. We requested attribute validation when adding ACIs, w/o it it was very simple to make typos, which would be fatal for DENY ACIs. The problem here is in using extensibleObject and not defining a schema IMO. That said I am ok with the targetattr with appended asterisk to the undefined attribute name. Simo. After some thoughts, I agree with this path also. I will soon send the revised patches, with this and other improvements. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Wed, 14 Jan 2015, Simo Sorce wrote: On Wed, 14 Jan 2015 13:41:54 +0100 thierry bordaz tbor...@redhat.com wrote: On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. We requested attribute validation when adding ACIs, w/o it it was very simple to make typos, which would be fatal for DENY ACIs. The problem here is in using extensibleObject and not defining a schema IMO. That said I am ok with the targetattr with appended asterisk to the undefined attribute name. +1. Another alternative is to use some symbol that could not be present in the attribute name at the beginning of the targetattr to switch off the schema checks, e.g. targetattr=nssldapd-changelogdir. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:42 PM, Alexander Bokovoy wrote: On Wed, 14 Jan 2015, Simo Sorce wrote: On Wed, 14 Jan 2015 13:41:54 +0100 thierry bordaz tbor...@redhat.com wrote: On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. We requested attribute validation when adding ACIs, w/o it it was very simple to make typos, which would be fatal for DENY ACIs. The problem here is in using extensibleObject and not defining a schema IMO. That said I am ok with the targetattr with appended asterisk to the undefined attribute name. +1. Another alternative is to use some symbol that could not be present in the attribute name at the beginning of the targetattr to switch off the schema checks, e.g. targetattr=nssldapd-changelogdir. Right, but the disadvantage is that ACIs following that approach would only work on new servers... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:58 PM, Martin Kosek wrote: On 01/14/2015 03:34 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 13:41:54 +0100 thierry bordaz tbor...@redhat.com wrote: On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. We requested attribute validation when adding ACIs, w/o it it was very simple to make typos, which would be fatal for DENY ACIs. The problem here is in using extensibleObject and not defining a schema IMO. That said I am ok with the targetattr with appended asterisk to the undefined attribute name. Simo. After some thoughts, I agree with this path also. I will soon send the revised patches, with this and other improvements. Attaching new, clean version of the patches, following this path. The ACIs are now not as broad as before. Originally, I added all new ACIs as V2 permissions, but then I realized it would not work on replicas, as cn=config is not replicas and the ACIs stored there would not be created as PermissionV2 object would already exist, when the replica is being installed. With attached patch set, admin user or Replication Administrators privilege members should be able to create a winsync connection and PassSync user, e.g.: [root@ipa ~]# ipa-replica-manage connect --winsync --cacert=/home/mkosek/mkad2012.crt --binddn='cn=Administrator,cn=users,dc=mkad2012,dc=test' --bindpw=Secret123 mkdc2012.mkad2012.test --passsync Secret123 -v ... The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test Adding Windows PassSync system account ... Connected 'ipa.mkosek-f21.test' to 'mkdc2012.mkad2012.test' This should just complete and not crash. admin user should then also able to list the winsync replica with # ipa-replica-manage list This fixes one bug. For testing the second ticket, PassSync one, either test with PassSync software directly or verify that passsync system user can see NT attribute and change user passwords: # ldapsearch -D uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test -x -w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test (ntuserdomainid=testuser) ntuserdomainid # extended LDIF # # LDAPv3 # base cn=users,cn=accounts,dc=mkosek-f21,dc=test with scope subtree # filter: (ntuserdomainid=testuser) # requesting: ntuserdomainid # # testuser, users, accounts, mkosek-f21.test dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test ntuserdomainid: testuser # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # ldappasswd -D uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test -x -w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s newPassword [root@ipa ~]# echo $? 0 Martin From d5ed6d551d92bbf31e1407c8a525a0508146575c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue,
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. -- PetrĀ³ dn: cn=config changetype: modify add: aci aci: (targetattr = \22nsslapd-changelogdir\22)(version 3.0;acl \22test-aci\22;allow (compare,read,search) groupdn = \22ldap:///all\22;) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Yes DS acl plugin checks that the named attribute is in the schema. I do not see the benefit of this limitation I need to dig further. Now you may define the 'targetattr' with a '*'. Would it be possible to use an aci syntax like : aci: (targetattr = nsslapd-changelogdir*)(version 3.0;acl test-aci;allow (compare,read,search) groupdn = ldap:///all;;) thanks theirry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:37 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Yes DS acl plugin checks that the named attribute is in the schema. I do not see the benefit of this limitation I need to dig further. Now you may define the 'targetattr' with a '*'. Would it be possible to use an aci syntax like : aci: (targetattr = nsslapd-changelogdir*)(version 3.0;acl test-aci;allow (compare,read,search) groupdn = ldap:///all;;) thanks theirry Maybe, although it looks bit ugly. So far, I just used * given the ACIs were quite focused and only for Replication Administrators privilege members. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 12:03 PM, Martin Kosek wrote: On 01/14/2015 10:58 AM, thierry bordaz wrote: On 01/14/2015 10:15 AM, Petr Viktorin wrote: On 01/13/2015 10:52 PM, Martin Kosek wrote: On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? The ACL Syntax Error comes straight from the DS, so there's not much IPA can do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not sure that's the right solution here. Thierry, any comments? See the attached LDIF. Actually this limitation was added with the bug https://bugzilla.redhat.com/show_bug.cgi?id=244229. I do not see in the bug, if the ability to define non schema attribute was creating a problem for IPA Not before, but with PermissionV2 and especially these patches, we may need to control access to unknown attributes in extensibleObject objects. One possibility is to revert that fix (with or without configuration toggle). But then in a topology with mixed versions of DS, old DS will skipped those aci. Using '*' char is not nice but will guaranty a same evaluation on all servers. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From a22df9e17b22298c1409ec4f7830161364fedccd Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 13 Jan 2015 18:09:17 +0100 Subject: [PATCH 1/2] Allow PassSync user to locate and update NT users Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. https://fedorahosted.org/freeipa/ticket/4837 --- install/updates/40-delegation.update | 8 ++ ipalib/plugins/user.py | 12 + ipaserver/install/plugins/Makefile.am| 1 + ipaserver/install/plugins/update_passsync.py | 37 4 files changed, 58 insertions(+) create mode 100644 ipaserver/install/plugins/update_passsync.py diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 988de5e1962fabc6787f5914522b8f133e71a8ff..97de2abcaf04ca0a06b2bbdfadd81b371b8c8150 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -184,3 +184,11 @@ dn: cn=IPA Masters dn: cn=masters,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter = (objectClass=nsContainer))(targetattr = cn || objectClass || ipaConfigString)(version 3.0; acl Read IPA Masters; allow (read, search, compare) userdn = ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX;;)' add:aci:'(targetfilter = (objectClass=nsContainer))(targetattr = ipaConfigString)(version 3.0; acl Modify IPA Masters; allow (write) userdn = ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX;;)' + +# PassSync +dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: PassSync Service +default:description: PassSync Service diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e206289248dfe9ae79bd87271ff2c7672fb98b4f..56585b9f86593c0c5879139103bc71707b88e15f 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -373,10 +373,12 @@ class user(LDAPObject): 'replaces': [ '(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory)(version 3.0;acl permission:Change a user password;allow (write) groupdn = ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX;)', '(targetfilter = (!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)))(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory)(version 3.0;acl permission:Change a user password;allow (write) groupdn = ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX;)', +'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Windows PassSync service can write passwords; allow (write) userdn=ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX;;)', ], 'default_privileges': { 'User Administrators', 'Modify Users and Reset passwords', +'PassSync Service', }, }, 'System: Manage User SSH Public Keys': { @@ -446,6 +448,16 @@ class user(LDAPObject): 'homedirectory', 'loginshell', }, }, +'System: Read User NT Attributes': { +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'ipapermdefaultattr': { +'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires', +'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff', +'ntuserlastlogon', +}, +'default_privileges': {'PassSync Service'}, +}, } label = _('Users') diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index d651297ac141b0f05831e7fabbb9b561cdd239c7..ead1d8f7d972c1b016bac8f2b8f7fd1f9a71b563 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -14,6 +14,7 @@ app_PYTHON = \ update_referint.py \ ca_renewal_master.py \ update_uniqueness.py \ + update_passsync.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py new file mode 100644 index ..56c7f5253061087a2f59d2ed416d3db2f2c7dbec --- /dev/null +++ b/ipaserver/install/plugins/update_passsync.py @@ -0,0
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/13/2015 09:55 PM, Simo Sorce wrote: On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? You mean for: +'System: Read LDBM database config': { +'ipapermlocation': DN('cn=config'), +'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'), +'ipapermbindruletype': 'permission', +'ipapermright': {'read', 'search', 'compare'}, +'default_privileges': {'Replication Administrators'}, +'ipapermdefaultattr': {'*'}, +}, ? I did that as my first try, but then the ACI was not accepted as the attribute I was looking for (nsslapd-changelogdir) is not in the schema as the config is just an extensibleObject. But as I was going through the attributes, I did not see anything super-secret. Petr, is there any way to make permission plugin accept unknown attribute in the permission attribute list, or do we need to use * in this case? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel