[Freeipa-devel] Read access to container entries

Ludwig Krispenz lkrispen at redhat.com
Mon Mar 31 08:41:12 UTC 2014 

Hi Petr,

we already discussed on IRC, but see some comments below
On 03/28/2014 04:11 PM, Petr Viktorin wrote:
> Hello,
> I'm trying to add ACIs to allow read access to containers, and I need 
> some input.
>
> The DS's access control system is not designed to allow access to a 
> single entry but not its descendants. The [ACI documentation] suggests 
> some ways to work around it.
>
> This doesn't work that well for read access in IPA:
>
> $SUFFIX needs anonymous read access; ipa-client-install looks for 
> "info=IPA V2.0" anonymously.
> cn=accounts,$SUFFIX needs read access if it or any of its children are 
> to be listed in a GUI
> cn=users,cn=accounts,$SUFFIX needs read access if it or any users are 
> to be listed in a GUI
> uid=*,cn=accounts,$SUFFIX might need to have anonymous reads denied
>
> It's safe to expose IPA's default containers anonymously; all they 
> tell the user is that they're looking an IPA server.
>
> The container entries themselves just have cn and an objectClass of 
> cnContainer, so it's impossible to construct a general targetfilter 
> that targets them but not any possible descendants.
>
> I see 3 possible solutions:
> 1) File a DS RFE to implement [targetscope]. With that we could have 
> ACIs that only target a single entry, so admins could manage read 
> access to containers in the usual way (with permissions).
> 2) Add a (objectClass=nsContainer) filter. The problem here is that if 
> this is on cn=accounts,$S, it would also affect e.g. 
> cn=users,cn=accounts,$S, and other nsContainers under it. For example, 
> cn=$HOSTNAME,cn=masters,cn=ipa,cn=etc,$S is a nsContainer.
> 3) Add a special attribute to mark "public" containers, and add an ACI 
> with a filter on that. Something like objectClass=ipaPublicContainer 
> would do.
there is one more option
4) add an allow aci for cn=accounts,$S and a deny aci for 
cn=*,cn=accounts,$S or uid=*,cn=accounts,$S

In general I think we should implement 1), there will be other scenarios 
where it could be useful. If something is needed imemdiately I would 
also prefer 3)
>
>
> I'm thinking about 3, but I'd like to ask an LDAP expert for opinions.
>
>
> Note that children can be accessible even if the parent isn't. This 
> whole container business only affects exploring the DIT with a GUI-ish 
> tool.
>

More information about the Freeipa-devel mailing list