On Mon, 18 Feb 2013, Rob Crittenden wrote:
Petr Spacek wrote:
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
Please guide us about the LDAP user
Does it has a read only access or read-write access to the
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
Because the file /etc/ldap.conf is readable by all the users, so I am
concerned about the security.

You can get effective access rights for any DN:

Command example:
/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
-h server.example.com -b "dc=example,dc=com" -s sub -J,cn=sysaccounts,cn=etc,dc=example,dc=com

Example was taken from section 8.4.11:

Effective access rights description:

You need the ldapsearch from mozldap-tools for this to work.

The user has read-only access to the tree but it has write access to itself (via the self-service rule).
You can use ldapsearch from openldap too:
$ ldapsearch -D cn=directory\ manager -w XXXXX -b 
cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 
# extended LDIF
# LDAPv3
# base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
# filter: uid=sudo
# requesting: ALL

# sudo, sysaccounts, etc, ipa.team
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
entryLevelRights: 21
attributeLevelRights: *:21

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to