[Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
Rob Crittenden
rcritten at redhat.com
Mon Feb 18 15:56:34 UTC 2013
Alexander Bokovoy wrote:
> On Mon, 18 Feb 2013, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
>>>> Please guide us about the LDAP user
>>>> "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com".
>>>> Does it has a read only access or read-write access to the
>>>> "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
>>>> Because the file /etc/ldap.conf is readable by all the users, so I am
>>>> concerned about the security.
>>>
>>> You can get effective access rights for any DN:
>>>
>>> Command example:
>>> /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
>>> -h server.example.com -b "dc=example,dc=com" -s sub -J
>>> 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
>>>
>>> "(objectclass=*)"
>>>
>>> Example was taken from section 8.4.11:
>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html
>>>
>>>
>>>
>>> Effective access rights description:
>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
>>>
>>>
>>>
>>
>> You need the ldapsearch from mozldap-tools for this to work.
>>
>> The user has read-only access to the tree but it has write access to
>> itself (via the self-service rule).
> You can use ldapsearch from openldap too:
> $ ldapsearch -D cn=directory\ manager -w XXXXX -b
> cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 1.3.6.1.4.1.42.2.27.9.5.2
> uid=sudo
> # extended LDIF
> #
> # LDAPv3
> # base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
> # filter: uid=sudo
> # requesting: ALL
> #
>
> # sudo, sysaccounts, etc, ipa.team
> dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team
> objectClass: account
> objectClass: simplesecurityobject
> objectClass: top
> uid: sudo
> userPassword:: XXXXXXXXXXXXXXXXXXXXXXXX
> entryLevelRights: 21
> attributeLevelRights: *:21
>
>
The syntax for the control isn't quite right (and in the 2 seconds I
looked at it I wasn't able to get it working in openldap ldapsearch). It
needs to be set as critical and the DN you are checking the rights for
needs to be passed as payload.
The result should be a list of attributes and rights.
rob
More information about the Freeipa-users
mailing list