Petr Spacek wrote:
thread "[Freeipa-devel] Read access to container entries" reminds me an
idea I have in mind for a while:
We could check effective ACIs  for interesting objects (Kerberos
master key, trust objects etc.) and make sure that there is nothing like
'read by anonymous' etc.
Method  has one important limitation: It checks ACI in given sub-tree
against one specified DN.
Realization of my idea would be better with a "reverse" approach:
Specify DN of a single object as "target" and get list of all users with
non-null access rights for the object in question. (This could be
refined with filter for specific rights so we can get "list of DNs
allowed to write to this object" etc.)
Does it make sense?
Maybe. We've had a long-term need to run the unit tests as various other
users to avoid delegation regressions. We really should have some subset
of tests to do positive and negative testing of each role. We'd probably
want to do these tests directly with the framework.
Ideally this could be extended to disabling anonymous access, setting
minimum SSF, etc. This could probably be mostly done using GER.
Freeipa-devel mailing list