[Freeipa-users] read-only service account - aci
Prashant Bapat
prashant at apigee.com
Thu Mar 17 16:31:13 UTC 2016
Great! Thanks Martin.
On 16 March 2016 at 19:07, Martin Kosek <mkosek at redhat.com> wrote:
> On 03/15/2016 04:28 AM, Prashant Bapat wrote:
> > Anyone?
> >
> > On 11 March 2016 at 22:12, Prashant Bapat <prashant at apigee.com
> > <mailto:prashant at apigee.com>> wrote:
> >
> > Hi,
> >
> > I'm trying to use IPA's LDAP server as the user data base for an
> external
> > application.
> >
> > I have created a service account from ldif below.
> >
> >
> > dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: system
> > userPassword: changeme!
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> >
> >
> > This works fine. My question is whats the ACI associated with this
> new user?
> > Does this user have read-only access to everything in LDAP ? Or
> should I
> > add/tune the ACI.
>
> This system user can now access all LDAP data that are allowed for
> authenticated users. It should not have permission to actually write
> something
> unless you allow any user write something.
>
> You can see the FreeIPA system read permissions [1] to see what
> authenticated
> users are allowed to read. At minimum, they can read more information about
> users, group member and others:
>
> # ipa permission-find --bindtype=all | grep "Permission name"
> Permission name: System: Read AD Domains
> Permission name: System: Read CA ACLs
> Permission name: System: Read CA Renewal Information
> Permission name: System: Read Certificate Profiles
> Permission name: System: Read DNA Configuration
> Permission name: System: Read Domain Level
> Permission name: System: Read Global Configuration
> Permission name: System: Read Group ID Overrides
> Permission name: System: Read Group Membership
> Permission name: System: Read HBAC Rules
> Permission name: System: Read HBAC Service Groups
> Permission name: System: Read HBAC Services
> Permission name: System: Read Host Membership
> Permission name: System: Read Hostgroup Membership
> Permission name: System: Read Hostgroups
> Permission name: System: Read Hosts
> Permission name: System: Read ID Ranges
> Permission name: System: Read ID Views
> Permission name: System: Read Netgroup Membership
> Permission name: System: Read Netgroups
> Permission name: System: Read OTP Configuration
> Permission name: System: Read Realm Domains
> Permission name: System: Read Replication Information
> Permission name: System: Read SELinux User Maps
> Permission name: System: Read Services
> Permission name: System: Read Sudo Command Groups
> Permission name: System: Read Sudo Commands
> Permission name: System: Read Sudo Rules
> Permission name: System: Read Trust Information
> Permission name: System: Read User Addressbook Attributes
> Permission name: System: Read User ID Overrides
> Permission name: System: Read User IPA Attributes
> Permission name: System: Read User Kerberos Attributes
> Permission name: System: Read User Membership
>
> Martin
>
> [1] http://www.freeipa.org/page/V4/Managed_Read_permissions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160317/e71640df/attachment.htm>
More information about the Freeipa-users
mailing list