[Freeipa-devel] patch to add krb instance init
Simo Sorce
ssorce at redhat.com
Fri Jun 29 18:31:54 UTC 2007
On Fri, 2007-06-29 at 10:44 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > The patch contains also a few clean ups.
> >
> > If there are no objections I'll do an hg push to commit this stuff to
> > the main repo, sometimes around 2pm-4pm
> >
> >
> Looks good, some comments below.
> > Default DIT is not yet finalized, I'd like comments on that.
> I actually don't like the "default" thing. We should probably discuss
> the purpose of that and how it would work - it is obviously anticipatory
> so we need to work through what it is anticipating.
I don't like the name either, but the function is to have one level
between users/groups/whatever and the base object.
The reason is that this way we can have OUs that can be easily excluded
from the most common searches. Eg. I assume people can configure things
like nss-ldap ro ou=default,nasedn with subtree searches, so that it
will spare any searches on OUs at the same level as ou=default
One of the possible idea was to have a ou=posix at the same level of
ou=default, and under ou=posix to have the classic
ou=people/ou=group/ou=hosts view for legacy systems with the posix group
translation plug-in operating only there.
This need discussion as well, but it is a possibility.
Same for kerberos kldap module searches, the current patch still
references the whole tree in the krbContainer but I'd like to change
that to point to cn=kerberos and ou=default only, not the whole DIT).
> > diff -r daf5da216c98 ipa-install/share/default-aci.ldif
> > --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> > +++ b/ipa-install/share/default-aci.ldif Thu Jun 28 17:23:26 2007 -0400
> > @@ -0,0 +1,8 @@
> > +# $SUFFIX (base entry)
> > +dn: $SUFFIX
> > +changetype: modify
> > +replace: aci
> > +aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";)
> >
> This aci should specify the attributes that anonymous can read, search,
> compare, rather than specifying those anonymous cannot otherwise it is
> very easy to accidentally allow access to sensitive information. We
> should identify the set of attributes that are probably common "anon"
> access attributes and set up the aci for that.
Yeah, ACIs need a lot more thining, here I just expanded the default ACI
shipped with fedora-ds-base. The problem is that such attributes should
be denied to anyone not just anonymous. Only self (perhaps) and account
admins (perhaps) should be able to retrieve them.
But right now it does the job, so I'd go on with the knowledge we will
change this stuff during development.
Simo
More information about the Freeipa-devel
mailing list