Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
Alexander Bokovoy wrote: On Mon, 18 Feb 2013, Rob Crittenden wrote: Petr Spacek wrote: On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all the users, so I am concerned about the security. You can get effective access rights for any DN: Command example: /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com "(objectclass=*)" Example was taken from section 8.4.11: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html Effective access rights description: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html You need the ldapsearch from mozldap-tools for this to work. The user has read-only access to the tree but it has write access to itself (via the self-service rule). You can use ldapsearch from openldap too: $ ldapsearch -D cn=directory\ manager -w X -b cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 1.3.6.1.4.1.42.2.27.9.5.2 uid=sudo # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=sudo # requesting: ALL # # sudo, sysaccounts, etc, ipa.team dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team objectClass: account objectClass: simplesecurityobject objectClass: top uid: sudo userPassword:: entryLevelRights: 21 attributeLevelRights: *:21 The syntax for the control isn't quite right (and in the 2 seconds I looked at it I wasn't able to get it working in openldap ldapsearch). It needs to be set as critical and the DN you are checking the rights for needs to be passed as payload. The result should be a list of attributes and rights. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
On Mon, 18 Feb 2013, Rob Crittenden wrote: Petr Spacek wrote: On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all the users, so I am concerned about the security. You can get effective access rights for any DN: Command example: /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com "(objectclass=*)" Example was taken from section 8.4.11: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html Effective access rights description: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html You need the ldapsearch from mozldap-tools for this to work. The user has read-only access to the tree but it has write access to itself (via the self-service rule). You can use ldapsearch from openldap too: $ ldapsearch -D cn=directory\ manager -w X -b cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 1.3.6.1.4.1.42.2.27.9.5.2 uid=sudo # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=sudo # requesting: ALL # # sudo, sysaccounts, etc, ipa.team dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team objectClass: account objectClass: simplesecurityobject objectClass: top uid: sudo userPassword:: entryLevelRights: 21 attributeLevelRights: *:21 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
Petr Spacek wrote: On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all the users, so I am concerned about the security. You can get effective access rights for any DN: Command example: /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com "(objectclass=*)" Example was taken from section 8.4.11: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html Effective access rights description: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html You need the ldapsearch from mozldap-tools for this to work. The user has read-only access to the tree but it has write access to itself (via the self-service rule). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all the users, so I am concerned about the security. You can get effective access rights for any DN: Command example: /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -J 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com "(objectclass=*)" Example was taken from section 8.4.11: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html Effective access rights description: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users