Finn Fysj via FreeIPA-users wrote: >> Finn Fysj via FreeIPA-users wrote: >> >> Seems unlikely that anonymous ACI's would prevent HBAC from working. >> Especially ACIs that don't apply to the bound dn. >> >> These ACIs also apply very broadly across the server. For example, the >> user and group ACIs overlap with memberof. You probably want to use a >> different subtree, say the user container for the first and last, and >> the group container for that one. >> >> rob > Thank you for your resposne, Rob. > > I manage to solve this before reading your comment, however, could you please > explain to me why it didn't work and why it works now? > > Looking this through the eyes of the UI: > The old solution was using the "Subtree" field with: Subtree: > dc=example,dc=com. This was replaced with the use of "Type: User" with > attribute: "memerof", and "Type: Group" with attributes: member and memberof > for the anonymous group permission. > > How can this small thing makes such huge difference? (this is very new to me)
It has to do with where ACIs live in the tree. If all ACIs live in the basedn then for every single operation, all ACIs will be evaluated. This is slow. We try to locate ACIs within the "container" for each object instead of globally (e.g. cn=users,cn=accounts). This applies the user-specific ACIs only when user objects are managed. I don't know about old and new with subtree and type. From what I remember this has always been available on the cli from my initial implementation. The type (user,group,host,etc) is shorthand for where the ACI will be placed so that user's don't need to understand the tree layout. Subtree is a more manual approach to this to provide flexibility. As I said, I can't believe that a global aci granting access to member/memberof would affect HBAC evaluation. HBAC doesn't bind as anonymous so these shouldn't even apply. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
