From b243da415ecb2c28b5aa9bc563595efe35a40987 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: Allow read access to masters, but not their services, to auth'd users The ipa host-del command checks if the host to be deleted is an IPA master by looking up the entry in cn=masters. If the entry is not accessible, host-del would proceed to delete the host. Thus we need to allow reading the master entries to at least those that can delete hosts. Since the host information is also available via DNS, it makes no sense be extremely secretive about it. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek --- install/updates/20-aci.update | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 6af800111..a10eb4077 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -28,6 +28,10 @@ add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)) dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)' +# Read access to masters (but not their services) +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)' + # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)' -- cgit