[Freeipa-devel] #4389: DS deref broken after ACI refactoring

Martin Kosek mkosek at redhat.com
Fri Jun 20 19:12:31 UTC 2014 

On 06/20/2014 05:51 PM, Jakub Hrozek wrote:
> On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote:
>> On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
>>> On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
...
> I think we should just make a note to self to allow users to fix the
> ACIs manually should they run into the problem while being unable to
> upgrade for whatever reason.
>
> So we only seem to dereference member and memberof. We dereference either user
> groups to get users, host groups to get hosts. For hosts we are
> interested about these attributes:
>      "ipa_host_object_class"
>      "ipa_host_name"
>      "ipa_host_fqdn"
>      "ipa_host_serverhostname"
>      "ipa_host_member_of"
>      "ipa_host_ssh_public_key"
>      "ipa_host_uuid"
>
> For users and groups, the list is longer and can be found here:
> https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ipa/ipa_opts.h#n166
>
> Look for ipa_user_map and ipa_group_map.
>
> But in general I agree with Simo that we shouldn't spend too much time
> on this when the DS is fixed.

Ok, makes sense.

>
>
>>
>>> For IPA we only care about memberof, but keep in mind that attribute
>>> maps in SSSD are configurable.
>>
>> Hm, makes the option 2) even more challenging...
>>
>
> But because the ACIs would only be applied on IPA servers, I think we
> can limit ourselves to the IPA schema only for the workaround.

Thanks all for responses. It seems that plan is clear:

1) Prepare a fix for DS deref access control issue 
(https://fedorahosted.org/389/ticket/47821). Ludwig, could you now please start 
working on this one? It takes precedence before 4.1 or 4.2 work you were 
working on.

2) Backport the fix to supported platforms along with other ACI fixes that 
Ludwig already found - Fedora 19 (?), Fedora 20, next RHEL-6.x.

3) 4.0 release note will contain a warning about the minimal DS version of the 
replicas. We will have a workaround ready based on the data that Jakub provided 
in case someone hit the issue and cannot update to fixes DS version.

Martin

More information about the Freeipa-devel mailing list