[Freeipa-devel] Read access to container entries
Martin Kosek
mkosek at redhat.com
Mon Mar 31 13:39:39 UTC 2014
On 03/31/2014 02:53 PM, Simo Sorce wrote:
> On Mon, 2014-03-31 at 10:41 +0200, Ludwig Krispenz wrote:
...
>>> 3) Add a special attribute to mark "public" containers, and add an ACI
>>> with a filter on that. Something like objectClass=ipaPublicContainer
>>> would do.
>> there is one more option
>> 4) add an allow aci for cn=accounts,$S and a deny aci for
>> cn=*,cn=accounts,$S or uid=*,cn=accounts,$S
>
> We want to get rid of deny ACIs if at all possible.
>
>> In general I think we should implement 1), there will be other scenarios
>> where it could be useful. If something is needed imemdiately I would
>> also prefer 3)
>
> I wonder, can we have an objectclass that defines no attributes ?
> Or do we always need to have a MAY at least ?
This particular objectclass could have just one MUST attribute - cn. Similarly
to what nsContainer has.
> Anyway I agree that the simplest solution would be to have an
> objectclass to filter on.
>
> But I see 2 options.
> 1. objectClass=ipaPublicContainer
> 2. objectClass=ipaPrivateContainer
>
> The problem with the second is adding a
> (!(objectclass=ipaPrivateContainer)) everywhere ...
>
I already elaborated on that topic later in this thread, please check it. It
also includes an attached list of container we already have. IMO most of
containers we have will be public, rather than private as LDAP nsContainer's cn
attribute is semantically not meant to contain secrets we want to hide.
So instead of adding 61 ipaPublicContainer everywhere I would just allow
reading nsContainers (cn+objectclass) anonymously + have ipaPrivateContainer
available in case we need it (I am not aware of any such case though).
Martin
More information about the Freeipa-devel
mailing list