[Freeipa-devel] Read access to container entries

Petr Viktorin pviktori at redhat.com
Fri Mar 28 15:11:25 UTC 2014 

Hello,
I'm trying to add ACIs to allow read access to containers, and I need 
some input.

The DS's access control system is not designed to allow access to a 
single entry but not its descendants. The [ACI documentation] suggests 
some ways to work around it.

This doesn't work that well for read access in IPA:

$SUFFIX needs anonymous read access; ipa-client-install looks for 
"info=IPA V2.0" anonymously.
cn=accounts,$SUFFIX needs read access if it or any of its children are 
to be listed in a GUI
cn=users,cn=accounts,$SUFFIX needs read access if it or any users are to 
be listed in a GUI
uid=*,cn=accounts,$SUFFIX might need to have anonymous reads denied

It's safe to expose IPA's default containers anonymously; all they tell 
the user is that they're looking an IPA server.

The container entries themselves just have cn and an objectClass of 
cnContainer, so it's impossible to construct a general targetfilter that 
targets them but not any possible descendants.

I see 3 possible solutions:
1) File a DS RFE to implement [targetscope]. With that we could have 
ACIs that only target a single entry, so admins could manage read access 
to containers in the usual way (with permissions).
2) Add a (objectClass=nsContainer) filter. The problem here is that if 
this is on cn=accounts,$S, it would also affect e.g. 
cn=users,cn=accounts,$S, and other nsContainers under it. For example, 
cn=$HOSTNAME,cn=masters,cn=ipa,cn=etc,$S is a nsContainer.
3) Add a special attribute to mark "public" containers, and add an ACI 
with a filter on that. Something like objectClass=ipaPublicContainer 
would do.


I'm thinking about 3, but I'd like to ask an LDAP expert for opinions.


Note that children can be accessible even if the parent isn't. This 
whole container business only affects exploring the DIT with a GUI-ish tool.

-- 
Petr³

Thanks to Ludwig for input on IRC.

[ACI documentation]: 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_a_Single_Directory_Entry
[targetscope]: http://docs.oracle.com/cd/E19424-01/820-4809/gdzgi/index.html

More information about the Freeipa-devel mailing list