Alexander Bokovoy wrote:
On Mon, 18 Feb 2013, Rob Crittenden wrote:
Petr Spacek wrote:
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
Please guide us about the LDAP user
Does it has a read only access or read-write access to the
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
Because the file /etc/ldap.conf is readable by all the users, so I am
concerned about the security.

You can get effective access rights for any DN:

Command example:
/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
-h -b "dc=example,dc=com" -s sub -J,cn=sysaccounts,cn=etc,dc=example,dc=com


Example was taken from section 8.4.11:

Effective access rights description:

You need the ldapsearch from mozldap-tools for this to work.

The user has read-only access to the tree but it has write access to
itself (via the self-service rule).
You can use ldapsearch from openldap too:
$ ldapsearch -D cn=directory\ manager -w XXXXX -b
cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E
# extended LDIF
# LDAPv3
# base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
# filter: uid=sudo
# requesting: ALL

# sudo, sysaccounts, etc,
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
entryLevelRights: 21
attributeLevelRights: *:21

The syntax for the control isn't quite right (and in the 2 seconds I looked at it I wasn't able to get it working in openldap ldapsearch). It needs to be set as critical and the DN you are checking the rights for needs to be passed as payload.

The result should be a list of attributes and rights.


Freeipa-users mailing list

Reply via email to