[Freeipa-users] read-only service account - aci

Prashant Bapat prashant at apigee.com
Thu Mar 17 16:31:13 UTC 2016 

Great! Thanks Martin.

On 16 March 2016 at 19:07, Martin Kosek <mkosek at redhat.com> wrote:

> On 03/15/2016 04:28 AM, Prashant Bapat wrote:
> > Anyone?
> >
> > On 11 March 2016 at 22:12, Prashant Bapat <prashant at apigee.com
> > <mailto:prashant at apigee.com>> wrote:
> >
> >     Hi,
> >
> >     I'm trying to use IPA's LDAP server as the user data base for an
> external
> >     application.
> >
> >     I have created a service account from ldif below.
> >
> >
> >         dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
> >         changetype: add
> >         objectclass: account
> >         objectclass: simplesecurityobject
> >         uid: system
> >         userPassword: changeme!
> >         passwordExpirationTime: 20380119031407Z
> >         nsIdleTimeout: 0
> >
> >
> >     This works fine. My question is whats the ACI associated with this
> new user?
> >     Does this user have read-only access to everything in LDAP ? Or
> should I
> >     add/tune the ACI.
>
> This system user can now access all LDAP data that are allowed for
> authenticated users. It should not have permission to actually write
> something
> unless you allow any user write something.
>
> You can see the FreeIPA system read permissions [1] to see what
> authenticated
> users are allowed to read. At minimum, they can read more information about
> users, group member and others:
>
> # ipa permission-find --bindtype=all | grep "Permission name"
>   Permission name: System: Read AD Domains
>   Permission name: System: Read CA ACLs
>   Permission name: System: Read CA Renewal Information
>   Permission name: System: Read Certificate Profiles
>   Permission name: System: Read DNA Configuration
>   Permission name: System: Read Domain Level
>   Permission name: System: Read Global Configuration
>   Permission name: System: Read Group ID Overrides
>   Permission name: System: Read Group Membership
>   Permission name: System: Read HBAC Rules
>   Permission name: System: Read HBAC Service Groups
>   Permission name: System: Read HBAC Services
>   Permission name: System: Read Host Membership
>   Permission name: System: Read Hostgroup Membership
>   Permission name: System: Read Hostgroups
>   Permission name: System: Read Hosts
>   Permission name: System: Read ID Ranges
>   Permission name: System: Read ID Views
>   Permission name: System: Read Netgroup Membership
>   Permission name: System: Read Netgroups
>   Permission name: System: Read OTP Configuration
>   Permission name: System: Read Realm Domains
>   Permission name: System: Read Replication Information
>   Permission name: System: Read SELinux User Maps
>   Permission name: System: Read Services
>   Permission name: System: Read Sudo Command Groups
>   Permission name: System: Read Sudo Commands
>   Permission name: System: Read Sudo Rules
>   Permission name: System: Read Trust Information
>   Permission name: System: Read User Addressbook Attributes
>   Permission name: System: Read User ID Overrides
>   Permission name: System: Read User IPA Attributes
>   Permission name: System: Read User Kerberos Attributes
>   Permission name: System: Read User Membership
>
> Martin
>
> [1] http://www.freeipa.org/page/V4/Managed_Read_permissions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160317/e71640df/attachment.htm>

More information about the Freeipa-users mailing list