Alexander Bokovoy wrote:
On Mon, 18 Feb 2013, Rob Crittenden wrote:
Petr Spacek wrote:
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
Please guide us about the LDAP user
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com".
Does it has a read only access or read-write access to the
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
Because the file /etc/ldap.conf is readable by all the users, so I am
concerned about the security.

You can get effective access rights for any DN:

Command example:
/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
-h server.example.com -b "dc=example,dc=com" -s sub -J
1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

"(objectclass=*)"

Example was taken from section 8.4.11:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html



Effective access rights description:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html




You need the ldapsearch from mozldap-tools for this to work.

The user has read-only access to the tree but it has write access to
itself (via the self-service rule).
You can use ldapsearch from openldap too:
$ ldapsearch -D cn=directory\ manager -w XXXXX -b
cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 1.3.6.1.4.1.42.2.27.9.5.2
uid=sudo
# extended LDIF
#
# LDAPv3
# base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
# filter: uid=sudo
# requesting: ALL
#

# sudo, sysaccounts, etc, ipa.team
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXX
entryLevelRights: 21
attributeLevelRights: *:21



The syntax for the control isn't quite right (and in the 2 seconds I looked at it I wasn't able to get it working in openldap ldapsearch). It needs to be set as critical and the DN you are checking the rights for needs to be passed as payload.

The result should be a list of attributes and rights.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to