Allow read access to masters, but not their services, to auth'd users

The ipa host-del command checks if the host to be deleted is an IPA master by looking up the entry in cn=masters. If the entry is not accessible, host-del would proceed to delete the host. Thus we need to allow reading the master entries to at least those that can delete hosts. Since the host information is also available via DNS, it makes no sense be extremely secretive about it. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-06-19 13:01:06 +02:00 · 2014-06-19 13:01:06 +02:00 · b243da415e
commit b243da415e
parent 8b2f4443dc
1 changed files with 4 additions and 0 deletions
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@ -28,6 +28,10 @@ add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";)'

+# Read access to masters (but not their services)
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)'
+
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX
 add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";)'