Hello list,

thread "[Freeipa-devel] Read access to container entries" reminds me an idea I have in mind for a while:

We could check effective ACIs [1] for interesting objects (Kerberos master key, trust objects etc.) and make sure that there is nothing like 'read by anonymous' etc.

Method [1] has one important limitation: It checks ACI in given sub-tree against one specified DN.

Realization of my idea would be better with a "reverse" approach: Specify DN of a single object as "target" and get list of all users with non-null access rights for the object in question. (This could be refined with filter for specific rights so we can get "list of DNs allowed to write to this object" etc.)

Does it make sense?

[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to