[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Martin Kosek
mkosek at redhat.com
Thu Jun 19 14:11:27 UTC 2014
On 06/19/2014 04:03 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 06/19/2014 02:19 PM, Martin Kosek wrote:
>>> On 06/19/2014 01:39 PM, Petr Viktorin wrote:
>>>> See commit message.
>>>>
>>>> This was found in the review of host write permissions (my patches
>>>> 0578-0579).
>>>
>>> Wouldn't it be better to filter based on objectclass? I.e.:
>>>
>>> (targetfilter="(!(objectclass=ipaConfigObject))"
>>>
>>> instead of DN based target filter? It seems to me that it is more
>>> resilient to
>>> changes in LDAP structure, in case we change RDN or make one more
>>> level like
>>> (just example):
>>>
>>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,...
>>
>> Sure, fixed patch attached.
>
> Are you sure you need read access and not just search/compare? The
> purpose is to see "is that thing there" and not "what is in that thing"
> right? Sure someone could fish for masters if they really wanted to.
>
> rob
I had the same idea and I did couple tests with just search&compare yesterday.
However, neither form worked for me so I gave up.
Martin
More information about the Freeipa-devel
mailing list