[Freeipa-users] read-only service account - aci

Martin Kosek mkosek at redhat.com
Wed Mar 16 13:37:29 UTC 2016 

On 03/15/2016 04:28 AM, Prashant Bapat wrote:
> Anyone?
> 
> On 11 March 2016 at 22:12, Prashant Bapat <prashant at apigee.com 
> <mailto:prashant at apigee.com>> wrote:
> 
>     Hi,
> 
>     I'm trying to use IPA's LDAP server as the user data base for an external
>     application.
> 
>     I have created a service account from ldif below.
> 
> 
>         dn: uid=srv-ro,cn=sysaccounts,cn=etc,dc=example,dc=com
>         changetype: add
>         objectclass: account
>         objectclass: simplesecurityobject
>         uid: system
>         userPassword: changeme!
>         passwordExpirationTime: 20380119031407Z
>         nsIdleTimeout: 0
> 
> 
>     This works fine. My question is whats the ACI associated with this new user?
>     Does this user have read-only access to everything in LDAP ? Or should I
>     add/tune the ACI.

This system user can now access all LDAP data that are allowed for
authenticated users. It should not have permission to actually write something
unless you allow any user write something.

You can see the FreeIPA system read permissions [1] to see what authenticated
users are allowed to read. At minimum, they can read more information about
users, group member and others:

# ipa permission-find --bindtype=all | grep "Permission name"
  Permission name: System: Read AD Domains
  Permission name: System: Read CA ACLs
  Permission name: System: Read CA Renewal Information
  Permission name: System: Read Certificate Profiles
  Permission name: System: Read DNA Configuration
  Permission name: System: Read Domain Level
  Permission name: System: Read Global Configuration
  Permission name: System: Read Group ID Overrides
  Permission name: System: Read Group Membership
  Permission name: System: Read HBAC Rules
  Permission name: System: Read HBAC Service Groups
  Permission name: System: Read HBAC Services
  Permission name: System: Read Host Membership
  Permission name: System: Read Hostgroup Membership
  Permission name: System: Read Hostgroups
  Permission name: System: Read Hosts
  Permission name: System: Read ID Ranges
  Permission name: System: Read ID Views
  Permission name: System: Read Netgroup Membership
  Permission name: System: Read Netgroups
  Permission name: System: Read OTP Configuration
  Permission name: System: Read Realm Domains
  Permission name: System: Read Replication Information
  Permission name: System: Read SELinux User Maps
  Permission name: System: Read Services
  Permission name: System: Read Sudo Command Groups
  Permission name: System: Read Sudo Commands
  Permission name: System: Read Sudo Rules
  Permission name: System: Read Trust Information
  Permission name: System: Read User Addressbook Attributes
  Permission name: System: Read User ID Overrides
  Permission name: System: Read User IPA Attributes
  Permission name: System: Read User Kerberos Attributes
  Permission name: System: Read User Membership

Martin

[1] http://www.freeipa.org/page/V4/Managed_Read_permissions

More information about the Freeipa-users mailing list