[Freeipa-users] read-only service account - aci
Martin Kosek
mkosek at redhat.com
Wed Mar 16 13:37:29 UTC 2016
On 03/15/2016 04:28 AM, Prashant Bapat wrote:
> Anyone?
>
> On 11 March 2016 at 22:12, Prashant Bapat <prashant at apigee.com
> <mailto:prashant at apigee.com>> wrote:
>
> Hi,
>
> I'm trying to use IPA's LDAP server as the user data base for an external
> application.
>
> I have created a service account from ldif below.
>
>
> dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: system
> userPassword: changeme!
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
>
>
> This works fine. My question is whats the ACI associated with this new user?
> Does this user have read-only access to everything in LDAP ? Or should I
> add/tune the ACI.
This system user can now access all LDAP data that are allowed for
authenticated users. It should not have permission to actually write something
unless you allow any user write something.
You can see the FreeIPA system read permissions [1] to see what authenticated
users are allowed to read. At minimum, they can read more information about
users, group member and others:
# ipa permission-find --bindtype=all | grep "Permission name"
Permission name: System: Read AD Domains
Permission name: System: Read CA ACLs
Permission name: System: Read CA Renewal Information
Permission name: System: Read Certificate Profiles
Permission name: System: Read DNA Configuration
Permission name: System: Read Domain Level
Permission name: System: Read Global Configuration
Permission name: System: Read Group ID Overrides
Permission name: System: Read Group Membership
Permission name: System: Read HBAC Rules
Permission name: System: Read HBAC Service Groups
Permission name: System: Read HBAC Services
Permission name: System: Read Host Membership
Permission name: System: Read Hostgroup Membership
Permission name: System: Read Hostgroups
Permission name: System: Read Hosts
Permission name: System: Read ID Ranges
Permission name: System: Read ID Views
Permission name: System: Read Netgroup Membership
Permission name: System: Read Netgroups
Permission name: System: Read OTP Configuration
Permission name: System: Read Realm Domains
Permission name: System: Read Replication Information
Permission name: System: Read SELinux User Maps
Permission name: System: Read Services
Permission name: System: Read Sudo Command Groups
Permission name: System: Read Sudo Commands
Permission name: System: Read Sudo Rules
Permission name: System: Read Trust Information
Permission name: System: Read User Addressbook Attributes
Permission name: System: Read User ID Overrides
Permission name: System: Read User IPA Attributes
Permission name: System: Read User Kerberos Attributes
Permission name: System: Read User Membership
Martin
[1] http://www.freeipa.org/page/V4/Managed_Read_permissions
More information about the Freeipa-users
mailing list