|
 |
f65af0 |
From 34d06b2be71823bc8898732f1ced0185f83afb01 Mon Sep 17 00:00:00 2001
|
|
|
f65af0 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f65af0 |
Date: Wed, 28 Mar 2018 12:39:12 +0300
|
|
|
f65af0 |
Subject: [PATCH] Allow anonymous access to parentID attribute
|
|
|
f65af0 |
|
|
|
f65af0 |
Due to optimizations in 389-ds performed as result of
|
|
|
f65af0 |
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
|
|
|
f65af0 |
is rewritten to include parentID information. It implies that parentID
|
|
|
f65af0 |
has to be readable for a bound identity performing the search. This is
|
|
|
f65af0 |
what 389-ds expects right now but FreeIPA DS instance does not allow it.
|
|
|
f65af0 |
|
|
|
f65af0 |
As result, searches with a one-level scope fail to return results that
|
|
|
f65af0 |
otherwise are matched in a sub scope search.
|
|
|
f65af0 |
|
|
|
f65af0 |
While 389-ds developers are working on the fix for issue
|
|
|
f65af0 |
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
|
|
|
f65af0 |
explicit ACI to allow reading parentID attribute at the suffix level.
|
|
|
f65af0 |
|
|
|
f65af0 |
Fixes: https://pagure.io/freeipa/issue/7466
|
|
|
f65af0 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
f65af0 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
f65af0 |
---
|
|
|
f65af0 |
install/updates/20-aci.update | 4 ++++
|
|
|
f65af0 |
1 file changed, 4 insertions(+)
|
|
|
f65af0 |
|
|
|
f65af0 |
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
|
f65af0 |
index dec2e16ee..b8a172eb5 100644
|
|
|
f65af0 |
--- a/install/updates/20-aci.update
|
|
|
f65af0 |
+++ b/install/updates/20-aci.update
|
|
|
f65af0 |
@@ -21,6 +21,10 @@ add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other hos
|
|
|
f65af0 |
dn: $SUFFIX
|
|
|
f65af0 |
add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
|
|
f65af0 |
|
|
|
f65af0 |
+# Read access to parentID information to allow filter optimizations in 389-ds
|
|
|
f65af0 |
+dn: $SUFFIX
|
|
|
f65af0 |
+add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
|
|
f65af0 |
+
|
|
|
f65af0 |
# Read access to containers
|
|
|
f65af0 |
dn: $SUFFIX
|
|
|
f65af0 |
add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";)
|
|
|
f65af0 |
--
|
|
|
f65af0 |
2.17.1
|
|
|
f65af0 |
|