[Freeipa-devel] LDAP ACI testing
Martin Kosek
mkosek at redhat.com
Mon Mar 31 13:32:28 UTC 2014
On 03/31/2014 03:23 PM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> Hello list,
>>
>> thread "[Freeipa-devel] Read access to container entries" reminds me an
>> idea I have in mind for a while:
>>
>> We could check effective ACIs [1] for interesting objects (Kerberos
>> master key, trust objects etc.) and make sure that there is nothing like
>> 'read by anonymous' etc.
>>
>> Method [1] has one important limitation: It checks ACI in given sub-tree
>> against one specified DN.
>>
>> Realization of my idea would be better with a "reverse" approach:
>> Specify DN of a single object as "target" and get list of all users with
>> non-null access rights for the object in question. (This could be
>> refined with filter for specific rights so we can get "list of DNs
>> allowed to write to this object" etc.)
>>
>>
>> Does it make sense?
>>
>>
>>
>> [1]
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
>>
>
> Maybe. We've had a long-term need to run the unit tests as various other users
> to avoid delegation regressions. We really should have some subset of tests to
> do positive and negative testing of each role. We'd probably want to do these
> tests directly with the framework.
>
> Ideally this could be extended to disabling anonymous access, setting minimum
> SSF, etc. This could probably be mostly done using GER.
>
> rob
FYI - we have a ticket already open to do something like what Petr says:
https://fedorahosted.org/freeipa/ticket/4035
IMO it is a good thing to do.
Martin
More information about the Freeipa-devel
mailing list