Bug 1108215

Summary: Make Read replication agreements permission less more targeted
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:11:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 976382, 1153292    
Bug Blocks:    

Description Martin Kosek 2014-06-11 14:49:25 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3829

Current ACI allowing replica admins to read replication agreements is too allowing in terms of cn=config exposure and is also not bound to any permission, thus does not allows users to assign it.

The patch for this would do basically this:
* remove the following aci from both installer and current deployments:
{{{
(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
}}}
* add new permission ACI like this:
{{{
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
}}}
* make sure that "Replication Administrators" privilege has it assigned the new read permission
Comment 1 Martin Kosek 2014-06-11 15:23:29 UTC 
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Comment 2 Namita Soman 2014-06-26 18:51:05 UTC 
please add steps to verify
Comment 3 Martin Kosek 2014-06-27 07:55:54 UTC 
To reproduce, add privilege 'Replication Administrators' to regular user and see what user can access in cn=config. He should be only able to access mostly the replication agreements, he should not be able to access any settings in cn=config base:

$ kinit admin
$ echo Secret123 | ipa user-add --first Foo --last=Bar fbar --password
$ ipa role-add test --desc test
$ ipa role-add-privilege test --privileges 'Replication Administrators'
$ ipa role-add-member test --users fbar
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'

$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: fbar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
cn: Sync Request Control

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control

# cn\3Dchangelog, mapping tree, config
dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: cn=changelog

# dc\3Dmkosek-fedora20\2Cdc\3Dtest, mapping tree, config
dn: cn=dc\3Dmkosek-fedora20\2Cdc\3Dtest,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=mkosek-fedora20,dc=test
cn: "dc=mkosek-fedora20,dc=test"
nsslapd-state: backend
nsslapd-backend: userRoot

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: o=ipaca

# search result
search: 4
result: 0 Success

# numResponses: 7
# numEntries: 6



When you run this test on an unpatched IPA, you will see *much more* access:

$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: fbar@UNPATCHED-IPA-TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# config
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co
 nfig
nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi
 g
nsslapd-betype: ldbm database
nsslapd-privatenamespaces: cn=schema
nsslapd-privatenamespaces:
nsslapd-privatenamespaces: cn=monitor
nsslapd-privatenamespaces: cn=config
nsslapd-plugin: cn=Binary Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Bit String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Boolean Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Case Exact String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Case Ignore String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Country String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Delivery Method Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Distinguished Name Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Enhanced Guide Syntax,cn=plugins,cn=config
...
Comment 5 Namita Soman 2015-01-23 18:37:25 UTC 
Verified using - ipa-server-4.1.0-15.el7.x86_64

# ipa privilege-show "Replication Administrators" --all
  dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testrelm,dc=test
  Privilege name: Replication Administrators
  Description: Replication Administrators
  Permissions: Remove Replication Agreements, Modify DNA Range, Add Replication Agreements, Modify
               Replication Agreements, System: Read Replication Agreements
  Granting privilege to roles: test, Security Architect
  objectclass: top, groupofnames, nestedgroup



# ipa user-add three
First name: three
Last name: three
------------------
Added user "three"
------------------
  User login: three
  First name: three
  Last name: three
  Full name: three three
  Display name: three three
  Initials: tt
  Home directory: /home/three
  GECOS: three three
  Login shell: /bin/sh
  Kerberos principal: three
  Email address: three
  UID: 1453400008
  GID: 1453400008
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


# ipa role-add test --desc test
-----------------
Added role "test"
-----------------
  Role name: test
  Description: test


# ipa role-add-privilege test --privileges 'Replication Administrators'
  Role name: test
  Description: test
  Privileges: Replication Administrators
----------------------------
Number of privileges added 1
----------------------------



# ipa role-add-member test --users three
  Role name: test
  Description: test
  Member users: three
  Privileges: Replication Administrators
-------------------------
Number of members added 1
-------------------------


[root@qeblade6 ipa-dns]# kinit three
Password for three: 


# ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: three
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
cn: Sync Request Control

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control

# cn\3Dchangelog, mapping tree, config
dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: cn=changelog

# dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config
dn: cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=testrelm,dc=test
cn: "dc=testrelm,dc=test"
nsslapd-state: backend
nsslapd-backend: userRoot

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: o=ipaca

# replica, dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config
dn: cn=replica,cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=testrelm,dc=test
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/mgmt2.testrelm.test,cn
 =services,cn=accounts,dc=testrelm,dc=test
nsState:: BAAAAAAAAAC/i8JUAAAAAAAAAAAAAAAAAgAAAAAAAAADAAAAAAAAAA==
nsDS5ReplicaName: 39122d05-a1e611e4-afdfc7c4-104d6a42
nsds5ReplicaChangeCount: 1634
nsds5replicareapactive: 0

# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDS5Replica
objectClass: extensibleobject
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaType: 3
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-mgmt2.testrelm.tes
 t-pki-tomcat,ou=csusers,cn=config
cn: replica
nsDS5ReplicaId: 96
nsDS5Flags: 1
nsState:: YAAAAAAAAABkicJUAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 8098b905-a1e611e4-afdfc7c4-104d6a42
nsds5ReplicaChangeCount: 171

# masterAgreement1-mgmt2.testrelm.test-pki-tomcat, replica, o\3Dipaca, mappin
 g tree, config
dn: cn=masterAgreement1-mgmt2.testrelm.test-pki-tomcat,cn=replica,cn=o\3Dipaca
 ,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: masterAgreement1-mgmt2.testrelm.test-pki-tomcat
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaHost: mgmt2.testrelm.test
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-mgmt2.testrelm.test
 -pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaTransportInfo: TLS
description: masterAgreement1-mgmt2.testrelm.test-pki-tomcat
nsDS5ReplicaCredentials: {DES}bZnLgsOZYoTrmMSptEByLA==
nsds50ruv: {replicageneration} 54c06e13000000600000
nsds50ruv: {replica 97 ldap://mgmt2.testrelm.test:389} 54c06e55000000610000 54
 c06e58000200610000
nsds50ruv: {replica 96 ldap://qeblade6.testrelm.test:389} 54c06e39000000600000
  54c15b5d000000600000
nsruvReplicaLastModified: {replica 97 ldap://mgmt2.testrelm.test:389} 00000000
nsruvReplicaLastModified: {replica 96 ldap://qeblade6.testrelm.test:389} 00000
 000
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co
 ntact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9
Comment 7 errata-xmlrpc 2015-03-05 10:11:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html