On Thu, 2014-01-09 at 17:37 -0500, Simo Sorce wrote: > On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote: > > This patch is independent from my patches 0028-0031 and can be merged in > > any order. > > > > This patch has a bug, but I can't figure it out. We need to set > > nsslapd-access-userattr-strict on cn=config to "off". > > Uhmm what is the effect on ACL evaluation of changing this boolean ? > I can;t figure out from your commit not from 389ds commit what exactly > changes and how it impacts the security of the directory. > > I ask because I was planning on using userattr to protect some > operations in the password plugin but was waiting due to bug: > https://fedorahosted.org/389/ticket/47571 which is beeing resolved. > > I want to make sure your change won't change what this ACIs would allow. > > Is this option simply allowing the use of add/delete ACIs to be > specified in conjunction with userattr, so that a user can add an attr > only if it contains its own DN ? > > Will it allow the user to add multiple values to the same attr as long > as one of the is the userDN ? O will it restrict that case ? > > (I know that ipaTokenOwner is a single-value attribute, but the > mechanism you are enabling here is general, and I want to be sure of > what the semantics are) After testing, it was determined that the 389DS patch #47653 does in fact permit addition if any of the multi-valued attributes match the condition. This is definitely problematic. After discussion today with nkinder, simo, nhosoi, we agreed to roll-back patch #47653 and find an alternate approach. This also invalidates patch freeipa-npmccallum-0032. Simo will follow up this email with an alternate proposal. Nathaniel -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
