Alexander Bokovoy wrote:
On Mon, 18 Feb 2013, Rob Crittenden wrote:
Petr Spacek wrote:
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
Please guide us about the LDAP user
Does it has a read only access or read-write access to the
Because the file /etc/ldap.conf is readable by all the users, so I am
concerned about the security.
You can get effective access rights for any DN:
/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
-h server.example.com -b "dc=example,dc=com" -s sub -J
Example was taken from section 8.4.11:
Effective access rights description:
You need the ldapsearch from mozldap-tools for this to work.
The user has read-only access to the tree but it has write access to
itself (via the self-service rule).
You can use ldapsearch from openldap too:
$ ldapsearch -D cn=directory\ manager -w XXXXX -b
cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 18.104.22.168.22.214.171.124.126.96.36.199
# extended LDIF
# base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
# filter: uid=sudo
# requesting: ALL
# sudo, sysaccounts, etc, ipa.team
The syntax for the control isn't quite right (and in the 2 seconds I
looked at it I wasn't able to get it working in openldap ldapsearch). It
needs to be set as critical and the DN you are checking the rights for
needs to be passed as payload.
The result should be a list of attributes and rights.
Freeipa-users mailing list