On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote:
Hello Again Alexander,

Do you know what permissions are needed to allow a particular user to be
used as the bind-dn for that script?
'cn=Directory Manager' is expected. I'm not an author so you can open
issues on gihub for the project itself.


I tried using these two LDIFs but got a different result than if I used my
directory admin user (which I don't want to use in a zabbix script for
obvious security reasons):

dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;)

dn: cn="o=ipaca",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;)


./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password:

(above command gives incorrect output) =
FreeIPA servers:    ns01    ns02    STATE
=========================================
Active Users                        OK
Stage Users                         OK
Preserved Users                     OK
User Groups         67      67      OK
Hosts                               OK
Host Groups                         OK
HBAC Rules          16      16      OK
SUDO Rules          11      11      OK
DNS Zones           0       0       OK
Certificates        0       0       OK
LDAP Conflicts      NO      NO      OK
Ghost Replicas      ERROR   ERROR   FAIL
Anonymous BIND                      OK
Microsoft ADTrust   YES     YES     OK
Replication Status  ns02 0  ns01 0
=========================================

(correct output if directory admin is used) =
FreeIPA servers:    ns01    ns02    STATE
=========================================
Active Users        192     192     OK
Stage Users         0       0       OK
Preserved Users     0       0       OK
User Groups         67      67      OK
Hosts               45      45      OK
Host Groups         2       2       OK
HBAC Rules          16      16      OK
SUDO Rules          11      11      OK
DNS Zones           6       6       OK
Certificates        155     155     OK
LDAP Conflicts      NO      NO      OK
Ghost Replicas      NO      NO      OK
Anonymous BIND      YES     YES     OK
Microsoft ADTrust   YES     YES     OK
Replication Status  ns02 0  ns01 0
=========================================


Would you, or anyone else in the list, be able to tell me what permissions
I should be setting?  If I use my own account, I get the same result as the
directory admin.
Sadly, I don't know exact permissions to be used. They need to be found
out experimentally. This is one of reasons why this script is not a part
of FreeIPA itself -- we wanted to find out a concise set of required
permissions before including it. Unfortunately, in couple years that the
script exists nobody took time to investigate what permissions were
really needed.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to