[Freeipa-devel] LDAP ACI testing
Ludwig Krispenz
lkrispen at redhat.com
Mon Mar 31 13:18:47 UTC 2014
On 03/31/2014 02:59 PM, Petr Spacek wrote:
> Hello list,
>
> thread "[Freeipa-devel] Read access to container entries" reminds me
> an idea I have in mind for a while:
>
> We could check effective ACIs [1] for interesting objects (Kerberos
> master key, trust objects etc.) and make sure that there is nothing
> like 'read by anonymous' etc.
>
> Method [1] has one important limitation: It checks ACI in given
> sub-tree against one specified DN.
>
> Realization of my idea would be better with a "reverse" approach:
> Specify DN of a single object as "target" and get list of all users
> with non-null access rights for the object in question. (This could be
> refined with filter for specific rights so we can get "list of DNs
> allowed to write to this object" etc.)
>
>
> Does it make sense?
yes, I think it would be a "nice to have" feature, but ...
I think it will be quit ecomplex to implement and you could get very
large result sets, eg all users.
In geteffectiverigths you more or less do the normal aci evaluation for
a given bind dn, but in your request you ask for all dns which could
match teh bind rules and this could be complicated in case of bind rules
depneding on attributes of the entry and the bind rule eg in a userattr
rule, so you would have to look at every entyr and check if the userattr
matches. In rules with groupdns we need to find all direct or indirect
group members and for macro acis the expansion to all dns matchng the
macro could also get complicated
>
>
>
> [1]
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
>
More information about the Freeipa-devel
mailing list