[Freeipa-devel] #4389: DS deref broken after ACI refactoring
Martin Kosek
mkosek at redhat.com
Fri Jun 20 19:12:31 UTC 2014
On 06/20/2014 05:51 PM, Jakub Hrozek wrote:
> On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote:
>> On 06/20/2014 04:24 PM, Jakub Hrozek wrote:
>>> On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote:
...
> I think we should just make a note to self to allow users to fix the
> ACIs manually should they run into the problem while being unable to
> upgrade for whatever reason.
>
> So we only seem to dereference member and memberof. We dereference either user
> groups to get users, host groups to get hosts. For hosts we are
> interested about these attributes:
> "ipa_host_object_class"
> "ipa_host_name"
> "ipa_host_fqdn"
> "ipa_host_serverhostname"
> "ipa_host_member_of"
> "ipa_host_ssh_public_key"
> "ipa_host_uuid"
>
> For users and groups, the list is longer and can be found here:
> https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ipa/ipa_opts.h#n166
>
> Look for ipa_user_map and ipa_group_map.
>
> But in general I agree with Simo that we shouldn't spend too much time
> on this when the DS is fixed.
Ok, makes sense.
>
>
>>
>>> For IPA we only care about memberof, but keep in mind that attribute
>>> maps in SSSD are configurable.
>>
>> Hm, makes the option 2) even more challenging...
>>
>
> But because the ACIs would only be applied on IPA servers, I think we
> can limit ourselves to the IPA schema only for the workaround.
Thanks all for responses. It seems that plan is clear:
1) Prepare a fix for DS deref access control issue
(https://fedorahosted.org/389/ticket/47821). Ludwig, could you now please start
working on this one? It takes precedence before 4.1 or 4.2 work you were
working on.
2) Backport the fix to supported platforms along with other ACI fixes that
Ludwig already found - Fedora 19 (?), Fedora 20, next RHEL-6.x.
3) 4.0 release note will contain a warning about the minimal DS version of the
replicas. We will have a workaround ready based on the data that Jakub provided
in case someone hit the issue and cannot update to fixes DS version.
Martin
More information about the Freeipa-devel
mailing list