Red Hat Bugzilla – Bug 1108215
Make Read replication agreements permission less more targeted
Last modified: 2015-03-05 05:11:43 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3829 Current ACI allowing replica admins to read replication agreements is too allowing in terms of cn=config exposure and is also not bound to any permission, thus does not allows users to assign it. The patch for this would do basically this: * remove the following aci from both installer and current deployments: {{{ (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) }}} * add new permission ACI like this: {{{ (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) }}} * make sure that "Replication Administrators" privilege has it assigned the new read permission
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
please add steps to verify
To reproduce, add privilege 'Replication Administrators' to regular user and see what user can access in cn=config. He should be only able to access mostly the replication agreements, he should not be able to access any settings in cn=config base: $ kinit admin $ echo Secret123 | ipa user-add --first Foo --last=Bar fbar --password $ ipa role-add test --desc test $ ipa role-add-privilege test --privileges 'Replication Administrators' $ ipa role-add-member test --users fbar $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config' $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config' SASL/GSSAPI authentication started SASL username: fbar@MKOSEK-FEDORA20.TEST SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.9.1.1 cn: Sync Request Control # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # cn\3Dchangelog, mapping tree, config dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: cn=changelog # dc\3Dmkosek-fedora20\2Cdc\3Dtest, mapping tree, config dn: cn=dc\3Dmkosek-fedora20\2Cdc\3Dtest,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: dc=mkosek-fedora20,dc=test cn: "dc=mkosek-fedora20,dc=test" nsslapd-state: backend nsslapd-backend: userRoot # o\3Dipaca, mapping tree, config dn: cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: o=ipaca # search result search: 4 result: 0 Success # numResponses: 7 # numEntries: 6 When you run this test on an unpatched IPA, you will see *much more* access: $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config' SASL/GSSAPI authentication started SASL username: fbar@UNPATCHED-IPA-TEST SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # config dn: cn=config cn: config objectClass: top objectClass: extensibleObject objectClass: nsslapdConfig nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co nfig nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi g nsslapd-betype: ldbm database nsslapd-privatenamespaces: cn=schema nsslapd-privatenamespaces: nsslapd-privatenamespaces: cn=monitor nsslapd-privatenamespaces: cn=config nsslapd-plugin: cn=Binary Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Bit String Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Boolean Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Case Exact String Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Case Ignore String Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Country String Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Delivery Method Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Distinguished Name Syntax,cn=plugins,cn=config nsslapd-plugin: cn=Enhanced Guide Syntax,cn=plugins,cn=config ...
Verified using - ipa-server-4.1.0-15.el7.x86_64 # ipa privilege-show "Replication Administrators" --all dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testrelm,dc=test Privilege name: Replication Administrators Description: Replication Administrators Permissions: Remove Replication Agreements, Modify DNA Range, Add Replication Agreements, Modify Replication Agreements, System: Read Replication Agreements Granting privilege to roles: test, Security Architect objectclass: top, groupofnames, nestedgroup # ipa user-add three First name: three Last name: three ------------------ Added user "three" ------------------ User login: three First name: three Last name: three Full name: three three Display name: three three Initials: tt Home directory: /home/three GECOS: three three Login shell: /bin/sh Kerberos principal: three@TESTRELM.TEST Email address: three@testrelm.test UID: 1453400008 GID: 1453400008 Password: False Member of groups: ipausers Kerberos keys available: False # ipa role-add test --desc test ----------------- Added role "test" ----------------- Role name: test Description: test # ipa role-add-privilege test --privileges 'Replication Administrators' Role name: test Description: test Privileges: Replication Administrators ---------------------------- Number of privileges added 1 ---------------------------- # ipa role-add-member test --users three Role name: test Description: test Member users: three Privileges: Replication Administrators ------------------------- Number of members added 1 ------------------------- [root@qeblade6 ipa-dns]# kinit three Password for three@TESTRELM.TEST: # ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config' SASL/GSSAPI authentication started SASL username: three@TESTRELM.TEST SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # SNMP, config dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on # 1.3.6.1.4.1.4203.1.9.1.1, features, config dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 1.3.6.1.4.1.4203.1.9.1.1 cn: Sync Request Control # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control # cn\3Dchangelog, mapping tree, config dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: cn=changelog # dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config dn: cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: dc=testrelm,dc=test cn: "dc=testrelm,dc=test" nsslapd-state: backend nsslapd-backend: userRoot # o\3Dipaca, mapping tree, config dn: cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: o=ipaca # replica, dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config dn: cn=replica,cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=testrelm,dc=test nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 4 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/mgmt2.testrelm.test@TESTRELM.TEST,cn =services,cn=accounts,dc=testrelm,dc=test nsState:: BAAAAAAAAAC/i8JUAAAAAAAAAAAAAAAAAgAAAAAAAAADAAAAAAAAAA== nsDS5ReplicaName: 39122d05-a1e611e4-afdfc7c4-104d6a42 nsds5ReplicaChangeCount: 1634 nsds5replicareapactive: 0 # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config objectClass: top objectClass: nsDS5Replica objectClass: extensibleobject nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaType: 3 nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-mgmt2.testrelm.tes t-pki-tomcat,ou=csusers,cn=config cn: replica nsDS5ReplicaId: 96 nsDS5Flags: 1 nsState:: YAAAAAAAAABkicJUAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAA== nsDS5ReplicaName: 8098b905-a1e611e4-afdfc7c4-104d6a42 nsds5ReplicaChangeCount: 171 # masterAgreement1-mgmt2.testrelm.test-pki-tomcat, replica, o\3Dipaca, mappin g tree, config dn: cn=masterAgreement1-mgmt2.testrelm.test-pki-tomcat,cn=replica,cn=o\3Dipaca ,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: masterAgreement1-mgmt2.testrelm.test-pki-tomcat nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaHost: mgmt2.testrelm.test nsDS5ReplicaPort: 389 nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-mgmt2.testrelm.test -pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaTransportInfo: TLS description: masterAgreement1-mgmt2.testrelm.test-pki-tomcat nsDS5ReplicaCredentials: {DES}bZnLgsOZYoTrmMSptEByLA== nsds50ruv: {replicageneration} 54c06e13000000600000 nsds50ruv: {replica 97 ldap://mgmt2.testrelm.test:389} 54c06e55000000610000 54 c06e58000200610000 nsds50ruv: {replica 96 ldap://qeblade6.testrelm.test:389} 54c06e39000000600000 54c15b5d000000600000 nsruvReplicaLastModified: {replica 97 ldap://mgmt2.testrelm.test:389} 00000000 nsruvReplicaLastModified: {replica 96 ldap://qeblade6.testrelm.test:389} 00000 000 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 # search result search: 4 result: 0 Success # numResponses: 10 # numEntries: 9
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html