Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/19/2015 01:20 PM, David Kupka wrote: Hi! This works for me. If all concerns regarding PermissionV2 and ACIs in general are resolved we can push. Both patches were pushed by mkosek on 2015-01-19: master: 6652c4eb2ebece71b6d60001246bd0fee5909099 Allow PassSync user to locate and update NT users ipa-4-1: 282d1ec2f9346c4a38b9867cff2ecf9151c0a794 Allow PassSync user to locate and update NT users master: 1537ac8138bf4371ae38147e8979904c756b3800 Allow Replication Administrators manipulate Winsync Agreements ipa-4-1: 794c9e6c31c4db2ae5c5869dbf782fab84eafd9f Allow Replication Administrators manipulate Winsync Agreements -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:27 PM, Martin Kosek wrote: Adding freeipa-devel back. On 01/14/2015 05:58 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 17:47:51 +0100 Martin Kosek mko...@redhat.com wrote: -add:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' +remove:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' Why this removal ? It is in the patch description. This container stores winsync replicas. With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone. My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD. +dn: cn=config +add:aci: '(version 3.0;acl permission:Add Configuration Sub-Entries;allow (add) groupdn = ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX;)' Doesn't this allow REplication admin to add any object anywhere in cn=config ? This would be too broad. It does. I wanted to narrow it with targetfilter '(targetfilter = (cn=changelog5))' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = (objectclass=extensibleobject))', it worked fine. I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi! This works for me. If all concerns regarding PermissionV2 and ACIs in general are resolved we can push. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
Adding freeipa-devel back. On 01/14/2015 05:58 PM, Simo Sorce wrote: On Wed, 14 Jan 2015 17:47:51 +0100 Martin Kosek mko...@redhat.com wrote: -add:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' +remove:aci:'(targetfilter=(objectclass=nsContainer))(version 3.0; acl Deny read access to replica configuration; deny(read, search, compare) userdn = ldap:///anyone;;)' Why this removal ? It is in the patch description. This container stores winsync replicas. With this deny ACI, admin or anyone else besides Directory Manager can see the replicas as deny rules take precedence and this one is scoped for ldap://anyone. My thinking was that this container is not too secret anyway, the only information that user get is name of the winsync'ed AD. +dn: cn=config +add:aci: '(version 3.0;acl permission:Add Configuration Sub-Entries;allow (add) groupdn = ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX;)' Doesn't this allow REplication admin to add any object anywhere in cn=config ? This would be too broad. It does. I wanted to narrow it with targetfilter '(targetfilter = (cn=changelog5))' but, it did not work for me, ADD was rejected. Not sure why though, when I used '(targetfilter = (objectclass=extensibleobject))', it worked fine. I fear this is some problem in DS targetfilter evaluation during ADD operation, CCing Ludwig for reference. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz tbor...@redhat.com wrote:
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2
refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted
as the attribute I was looking for (nsslapd-changelogdir) is not
in the schema as the config is just an extensibleObject. But as
I was going through the attributes, I did not see anything
super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use
* in this case?
The ACL Syntax Error comes straight from the DS, so there's not
much IPA can do. The error suggests adding nsslapd-changelogdir
to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema
attribute was creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we
may need to control access to unknown attributes in
extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS
will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.
The problem here is in using extensibleObject and not defining a
schema IMO.
That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:34 PM, Simo Sorce wrote:
On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz tbor...@redhat.com wrote:
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2
refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted
as the attribute I was looking for (nsslapd-changelogdir) is not
in the schema as the config is just an extensibleObject. But as
I was going through the attributes, I did not see anything
super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use
* in this case?
The ACL Syntax Error comes straight from the DS, so there's not
much IPA can do. The error suggests adding nsslapd-changelogdir
to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema
attribute was creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we
may need to control access to unknown attributes in
extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS
will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.
The problem here is in using extensibleObject and not defining a
schema IMO.
That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.
Simo.
After some thoughts, I agree with this path also. I will soon send the revised
patches, with this and other improvements.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Wed, 14 Jan 2015, Simo Sorce wrote:
On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz tbor...@redhat.com wrote:
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2
refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted
as the attribute I was looking for (nsslapd-changelogdir) is not
in the schema as the config is just an extensibleObject. But as
I was going through the attributes, I did not see anything
super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use
* in this case?
The ACL Syntax Error comes straight from the DS, so there's not
much IPA can do. The error suggests adding nsslapd-changelogdir
to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema
attribute was creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we
may need to control access to unknown attributes in
extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS
will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.
The problem here is in using extensibleObject and not defining a
schema IMO.
That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.
+1. Another alternative is to use some symbol that could not be present
in the attribute name at the beginning of the targetattr to switch off
the schema checks, e.g. targetattr=nssldapd-changelogdir.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:42 PM, Alexander Bokovoy wrote:
On Wed, 14 Jan 2015, Simo Sorce wrote:
On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz tbor...@redhat.com wrote:
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2
refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted
as the attribute I was looking for (nsslapd-changelogdir) is not
in the schema as the config is just an extensibleObject. But as
I was going through the attributes, I did not see anything
super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use
* in this case?
The ACL Syntax Error comes straight from the DS, so there's not
much IPA can do. The error suggests adding nsslapd-changelogdir
to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema
attribute was creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we
may need to control access to unknown attributes in
extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS
will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.
The problem here is in using extensibleObject and not defining a
schema IMO.
That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.
+1. Another alternative is to use some symbol that could not be present
in the attribute name at the beginning of the targetattr to switch off
the schema checks, e.g. targetattr=nssldapd-changelogdir.
Right, but the disadvantage is that ACIs following that approach would only
work on new servers...
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 03:58 PM, Martin Kosek wrote:
On 01/14/2015 03:34 PM, Simo Sorce wrote:
On Wed, 14 Jan 2015 13:41:54 +0100
thierry bordaz tbor...@redhat.com wrote:
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2
refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted
as the attribute I was looking for (nsslapd-changelogdir) is not
in the schema as the config is just an extensibleObject. But as
I was going through the attributes, I did not see anything
super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use
* in this case?
The ACL Syntax Error comes straight from the DS, so there's not
much IPA can do. The error suggests adding nsslapd-changelogdir
to the schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema
attribute was creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we
may need to control access to unknown attributes in
extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS
will skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
We requested attribute validation when adding ACIs, w/o it it was very
simple to make typos, which would be fatal for DENY ACIs.
The problem here is in using extensibleObject and not defining a
schema IMO.
That said I am ok with the targetattr with appended asterisk to the
undefined attribute name.
Simo.
After some thoughts, I agree with this path also. I will soon send the revised
patches, with this and other improvements.
Attaching new, clean version of the patches, following this path. The ACIs are
now not as broad as before.
Originally, I added all new ACIs as V2 permissions, but then I realized it
would not work on replicas, as cn=config is not replicas and the ACIs stored
there would not be created as PermissionV2 object would already exist, when the
replica is being installed.
With attached patch set, admin user or Replication Administrators privilege
members should be able to create a winsync connection and PassSync user, e.g.:
[root@ipa ~]# ipa-replica-manage connect --winsync
--cacert=/home/mkosek/mkad2012.crt
--binddn='cn=Administrator,cn=users,dc=mkad2012,dc=test' --bindpw=Secret123
mkdc2012.mkad2012.test --passsync Secret123 -v
...
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test
Adding Windows PassSync system account
...
Connected 'ipa.mkosek-f21.test' to 'mkdc2012.mkad2012.test'
This should just complete and not crash. admin user should then also able to
list the winsync replica with
# ipa-replica-manage list
This fixes one bug. For testing the second ticket, PassSync one, either test
with PassSync software directly or verify that passsync system user can see NT
attribute and change user passwords:
# ldapsearch -D uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test -x
-w Secret123 -b cn=users,cn=accounts,dc=mkosek-f21,dc=test
(ntuserdomainid=testuser) ntuserdomainid
# extended LDIF
#
# LDAPv3
# base cn=users,cn=accounts,dc=mkosek-f21,dc=test with scope subtree
# filter: (ntuserdomainid=testuser)
# requesting: ntuserdomainid
#
# testuser, users, accounts, mkosek-f21.test
dn: uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test
ntuserdomainid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# ldappasswd -D uid=passsync,cn=sysaccounts,cn=etc,dc=mkosek-f21,dc=test -x
-w Secret123 uid=testuser,cn=users,cn=accounts,dc=mkosek-f21,dc=test -s
newPassword
[root@ipa ~]# echo $?
0
Martin
From d5ed6d551d92bbf31e1407c8a525a0508146575c Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue,
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much IPA
can do. The error suggests adding nsslapd-changelogdir to the schema,
but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
--
PetrĀ³
dn: cn=config
changetype: modify
add: aci
aci: (targetattr = \22nsslapd-changelogdir\22)(version 3.0;acl \22test-aci\22;allow (compare,read,search) groupdn = \22ldap:///all\22;)
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much
IPA can do. The error suggests adding nsslapd-changelogdir to the
schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Yes DS acl plugin checks that the named attribute is in the schema. I do
not see the benefit of this limitation I need to dig further.
Now you may define the 'targetattr' with a '*'. Would it be possible to
use an aci syntax like :
aci: (targetattr = nsslapd-changelogdir*)(version 3.0;acl test-aci;allow
(compare,read,search) groupdn = ldap:///all;;)
thanks
theirry
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:37 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much IPA can
do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Yes DS acl plugin checks that the named attribute is in the schema. I do not
see the benefit of this limitation I need to dig further.
Now you may define the 'targetattr' with a '*'. Would it be possible to use an
aci syntax like :
aci: (targetattr = nsslapd-changelogdir*)(version 3.0;acl test-aci;allow
(compare,read,search) groupdn = ldap:///all;;)
thanks
theirry
Maybe, although it looks bit ugly. So far, I just used * given the ACIs were
quite focused and only for Replication Administrators privilege members.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much
IPA can do. The error suggests adding nsslapd-changelogdir to the
schema, but I'm not sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema attribute
was creating a problem for IPA
thanks
thierry
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much IPA can
do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema attribute was
creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we may need to
control access to unknown attributes in extensibleObject objects.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/14/2015 12:03 PM, Martin Kosek wrote:
On 01/14/2015 10:58 AM, thierry bordaz wrote:
On 01/14/2015 10:15 AM, Petr Viktorin wrote:
On 01/13/2015 10:52 PM, Martin Kosek wrote:
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm
database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema
as the config is just an extensibleObject. But as I was going through
the attributes, I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown
attribute in the permission attribute list, or do we need to use * in
this case?
The ACL Syntax Error comes straight from the DS, so there's not much IPA can
do. The error suggests adding nsslapd-changelogdir to the schema, but I'm not
sure that's the right solution here.
Thierry, any comments? See the attached LDIF.
Actually this limitation was added with the bug
https://bugzilla.redhat.com/show_bug.cgi?id=244229.
I do not see in the bug, if the ability to define non schema attribute was
creating a problem for IPA
Not before, but with PermissionV2 and especially these patches, we may need to
control access to unknown attributes in extensibleObject objects.
One possibility is to revert that fix (with or without configuration
toggle). But then in a topology with mixed versions of DS, old DS will
skipped those aci.
Using '*' char is not nice but will guaranty a same evaluation on all
servers.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
This is crude first version of the (working) fixes to fix Winsync/Passsync
problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From a22df9e17b22298c1409ec4f7830161364fedccd Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 13 Jan 2015 18:09:17 +0100
Subject: [PATCH 1/2] Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
https://fedorahosted.org/freeipa/ticket/4837
---
install/updates/40-delegation.update | 8 ++
ipalib/plugins/user.py | 12 +
ipaserver/install/plugins/Makefile.am| 1 +
ipaserver/install/plugins/update_passsync.py | 37
4 files changed, 58 insertions(+)
create mode 100644 ipaserver/install/plugins/update_passsync.py
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 988de5e1962fabc6787f5914522b8f133e71a8ff..97de2abcaf04ca0a06b2bbdfadd81b371b8c8150 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -184,3 +184,11 @@ dn: cn=IPA Masters
dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
add:aci:'(targetfilter = (objectClass=nsContainer))(targetattr = cn || objectClass || ipaConfigString)(version 3.0; acl Read IPA Masters; allow (read, search, compare) userdn = ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX;;)'
add:aci:'(targetfilter = (objectClass=nsContainer))(targetattr = ipaConfigString)(version 3.0; acl Modify IPA Masters; allow (write) userdn = ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX;;)'
+
+# PassSync
+dn: cn=PassSync Service,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: PassSync Service
+default:description: PassSync Service
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e206289248dfe9ae79bd87271ff2c7672fb98b4f..56585b9f86593c0c5879139103bc71707b88e15f 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -373,10 +373,12 @@ class user(LDAPObject):
'replaces': [
'(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory)(version 3.0;acl permission:Change a user password;allow (write) groupdn = ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX;)',
'(targetfilter = (!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)))(target = ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory)(version 3.0;acl permission:Change a user password;allow (write) groupdn = ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX;)',
+'(targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Windows PassSync service can write passwords; allow (write) userdn=ldap:///uid=passsync,cn=sysaccounts,cn=etc,$SUFFIX;;)',
],
'default_privileges': {
'User Administrators',
'Modify Users and Reset passwords',
+'PassSync Service',
},
},
'System: Manage User SSH Public Keys': {
@@ -446,6 +448,16 @@ class user(LDAPObject):
'homedirectory', 'loginshell',
},
},
+'System: Read User NT Attributes': {
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'ntuserdomainid', 'ntuniqueid', 'ntuseracctexpires',
+'ntusercodepage', 'ntuserdeleteaccount', 'ntuserlastlogoff',
+'ntuserlastlogon',
+},
+'default_privileges': {'PassSync Service'},
+},
}
label = _('Users')
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index d651297ac141b0f05831e7fabbb9b561cdd239c7..ead1d8f7d972c1b016bac8f2b8f7fd1f9a71b563 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -14,6 +14,7 @@ app_PYTHON = \
update_referint.py \
ca_renewal_master.py \
update_uniqueness.py \
+ update_passsync.py \
$(NULL)
EXTRA_DIST = \
diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py
new file mode 100644
index ..56c7f5253061087a2f59d2ed416d3db2f2c7dbec
--- /dev/null
+++ b/ipaserver/install/plugins/update_passsync.py
@@ -0,0
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On Tue, 13 Jan 2015 18:16:11 +0100 Martin Kosek mko...@redhat.com wrote: This is crude first version of the (working) fixes to fix Winsync/Passsync problems caused by the PermissionV2 refactoring. Simo/Petr3 or others, any concerns? The first patch looks good the second looks .. broad ? Shouldn't you explicitly allow specific attributes ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 488-489 PermissionsV2 related winsync fixes
On 01/13/2015 09:55 PM, Simo Sorce wrote:
On Tue, 13 Jan 2015 18:16:11 +0100
Martin Kosek mko...@redhat.com wrote:
This is crude first version of the (working) fixes to fix
Winsync/Passsync problems caused by the PermissionV2 refactoring.
Simo/Petr3 or others, any concerns?
The first patch looks good
the second looks .. broad ?
Shouldn't you explicitly allow specific attributes ?
You mean for:
+'System: Read LDBM database config': {
+'ipapermlocation': DN('cn=config'),
+'ipapermtarget': DN('cn=config,cn=ldbm database,cn=plugins,cn=config'),
+'ipapermbindruletype': 'permission',
+'ipapermright': {'read', 'search', 'compare'},
+'default_privileges': {'Replication Administrators'},
+'ipapermdefaultattr': {'*'},
+},
? I did that as my first try, but then the ACI was not accepted as the
attribute I was looking for (nsslapd-changelogdir) is not in the schema as the
config is just an extensibleObject. But as I was going through the attributes,
I did not see anything super-secret.
Petr, is there any way to make permission plugin accept unknown attribute in
the permission attribute list, or do we need to use * in this case?
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
