[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Rob Crittenden
rcritten at redhat.com
Thu Jun 19 14:03:33 UTC 2014
Petr Viktorin wrote:
> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>> See commit message.
>>>
>>> This was found in the review of host write permissions (my patches
>>> 0578-0579).
>>
>> Wouldn't it be better to filter based on objectclass? I.e.:
>>
>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>
>> instead of DN based target filter? It seems to me that it is more
>> resilient to
>> changes in LDAP structure, in case we change RDN or make one more
>> level like
>> (just example):
>>
>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
>
> Sure, fixed patch attached.
Are you sure you need read access and not just search/compare? The
purpose is to see "is that thing there" and not "what is in that thing"
right? Sure someone could fish for masters if they really wanted to.
rob
More information about the Freeipa-devel
mailing list