Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On 04/07/2014 05:00 PM, Simo Sorce wrote: On Mon, 2014-04-07 at 16:43 +0200, Martin Kosek wrote: On 04/03/2014 01:34 PM, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Starting a new sub-thread to differential from the LDIF/update file fixes. I tested the new ACI and it worked ok for me (is a prerequisite for easy testing of the subsequent ACI patches). I assume you plan to handle cn=etc tree in other patch. ACK from me in that case (not pushing right now to let Simo raise any concerns he may have). Thanks, pushed to master: 0e659983a6454370021a748d7534cad9febd6cc1 Martin I do not have any concern on the ACI itself, I only mused about ldif +update vs update only, sorry if I gave the worng impression. Simo. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On 04/03/2014 01:34 PM, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Starting a new sub-thread to differential from the LDIF/update file fixes. I tested the new ACI and it worked ok for me (is a prerequisite for easy testing of the subsequent ACI patches). I assume you plan to handle cn=etc tree in other patch. ACK from me in that case (not pushing right now to let Simo raise any concerns he may have). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Mon, 2014-04-07 at 16:43 +0200, Martin Kosek wrote: On 04/03/2014 01:34 PM, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Starting a new sub-thread to differential from the LDIF/update file fixes. I tested the new ACI and it worked ok for me (is a prerequisite for easy testing of the subsequent ACI patches). I assume you plan to handle cn=etc tree in other patch. ACK from me in that case (not pushing right now to let Simo raise any concerns he may have). Martin I do not have any concern on the ACI itself, I only mused about ldif +update vs update only, sorry if I gave the worng impression. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On 04/03/2014 03:28 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 15:19 +0200, Petr Viktorin wrote: On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. So are we removing default-aci.ldif completely ? I think we already mentioned this, but I can hardly recall the discussion, sorry. Simo. Sorry for the brief answer, I was just leaving for the day. Storing the data in both the LDIFs and update files is unnecessary, and the two files will get out of sync so one would need to look at both of them to get the full picture anyway. So now the plan is to put new data only in update files (except for schema which has a special LDIF-based updater). default-aci.ldif might end up being removed completely but it doesn't really bring us anything except being cleaner, so it's not a priority. I found the discussion: http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html; the relevant part is: Rob: The plan at the time updates were added was to move absolutely everything out of ldif and into updates. It just never happened. Petr: Good to know. Is it still the plan? Do I only need to change the update files? Rob: It would be my preference. It goes beyond only changing one set of files. The existing ldif that duplicate things need to be deprecated. We can't get to a zero-ldif install, but it can be reduced significantly. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Fri, 2014-04-04 at 10:54 +0200, Petr Viktorin wrote: On 04/03/2014 03:28 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 15:19 +0200, Petr Viktorin wrote: On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. So are we removing default-aci.ldif completely ? I think we already mentioned this, but I can hardly recall the discussion, sorry. Simo. Sorry for the brief answer, I was just leaving for the day. Storing the data in both the LDIFs and update files is unnecessary, and the two files will get out of sync so one would need to look at both of them to get the full picture anyway. So now the plan is to put new data only in update files (except for schema which has a special LDIF-based updater). default-aci.ldif might end up being removed completely but it doesn't really bring us anything except being cleaner, so it's not a priority. I found the discussion: http://www.redhat.com/archives/freeipa-devel/2013-September/msg00106.html; the relevant part is: Rob: The plan at the time updates were added was to move absolutely everything out of ldif and into updates. It just never happened. Petr: Good to know. Is it still the plan? Do I only need to change the update files? Rob: It would be my preference. It goes beyond only changing one set of files. The existing ldif that duplicate things need to be deprecated. We can't get to a zero-ldif install, but it can be reduced significantly. Ok however at the moment this is confusing for someone searching the code. Can we schedule an effort to clean up and remove as many ldif files as possible? Also do we need to call updates earlier if we do this ? Should we add warnings in the remaining ldif files about not adding content there unless explicitly required in early installation steps and redirect people to the update files ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. -- Petr³ From 6281a7159138d7c3bf024ed4ff370fe1193c5799 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 3 Apr 2014 12:40:48 +0200 Subject: [PATCH] Allow anonymous read access to containers All nsContainer objects, except ones in cn=etc, can now be read anonymously. The allowed attributes are cn and objectclass. These are the same in all IPA installations so they don't provide any sensitive information. Also, $SUFFIX itself can now be read anonymously. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/20-aci.update | 8 1 file changed, 8 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 3f27eb84416f3869b65d424d10f46b1a8572dee9..e9e1fe9db4d9c594ae0485c6f7cec8a668a8ff92 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -16,3 +16,11 @@ dn: cn=computers,cn=accounts,$SUFFIX dn: cn=computers,cn=accounts,$SUFFIX add:aci:'(targetattr=ipasshpubkey)(version 3.0; acl Hosts can manage other host SSH public keys; allow(write) userattr = parent[0,1].managedby#USERDN;)' + +# Read access to $SUFFIX itself +dn: $SUFFIX +add:aci:'(targetfilter=(objectclass=domain))(targetattr=objectclass || dc || info || nisDomain || associatedDomain)(version 3.0; acl Anonymous read access to DIT root; allow(read, search, compare) userdn = ldap:///anyone;;)' + +# Read access to containers +dn: $SUFFIX +add:aci:'(targetfilter=(objectclass=nsContainer))(target!=ldap:///cn=etc,$SUFFIX;)(targetattr=objectclass || cn)(version 3.0; acl Anonymous read access to containers; allow(read, search, compare) userdn = ldap:///anyone;;)' -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0507 Allow anonymous read access to containers
On Thu, 2014-04-03 at 15:19 +0200, Petr Viktorin wrote: On 04/03/2014 02:53 PM, Simo Sorce wrote: On Thu, 2014-04-03 at 13:34 +0200, Petr Viktorin wrote: Hello, This adds anonymous read access to containers, as discussed in this thread: https://www.redhat.com/archives/freeipa-devel/2014-March/msg00442.html Additionally access is granted for $SUFFIX itself with targetfilter (objectclass=domain), and attributes objectclass, dc, info, nisDomain, associatedDomain. These are raw ACIs, not permission-based ones. Why is this not set in default-aci.ldif as well ? Simo. Because we don't want to duplicate information. So are we removing default-aci.ldif completely ? I think we already mentioned this, but I can hardly recall the discussion, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel