From 34d06b2be71823bc8898732f1ced0185f83afb01 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 28 Mar 2018 12:39:12 +0300 Subject: [PATCH] Allow anonymous access to parentID attribute Due to optimizations in 389-ds performed as result of https://pagure.io/389-ds-base/issue/49372, LDAP search filter is rewritten to include parentID information. It implies that parentID has to be readable for a bound identity performing the search. This is what 389-ds expects right now but FreeIPA DS instance does not allow it. As result, searches with a one-level scope fail to return results that otherwise are matched in a sub scope search. While 389-ds developers are working on the fix for issue https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an explicit ACI to allow reading parentID attribute at the suffix level. Fixes: https://pagure.io/freeipa/issue/7466 Signed-off-by: Alexander Bokovoy Reviewed-By: Christian Heimes --- install/updates/20-aci.update | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index dec2e16ee..b8a172eb5 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -21,6 +21,10 @@ add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can manage other hos dn: $SUFFIX add:aci:(targetfilter="(objectclass=domain)")(targetattr="objectclass || dc || info || nisDomain || associatedDomain")(version 3.0; acl "Anonymous read access to DIT root"; allow(read, search, compare) userdn = "ldap:///anyone";) +# Read access to parentID information to allow filter optimizations in 389-ds +dn: $SUFFIX +add:aci:(targetattr="parentid")(version 3.0; acl "Anonymous read access to parentID information"; allow(read, search, compare) userdn = "ldap:///anyone";) + # Read access to containers dn: $SUFFIX add:aci:(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";) -- 2.17.1