4:56 a.m.
On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote:
Hello Again Alexander,
Do you know what permissions are needed to allow a particular user to be
used as the bind-dn for that script?
'cn=Directory Manager' is expected.
I'm not an author so you can open
issues on gihub for the project itself.
I tried using these two LDIFs but got a different result than if I used my
directory admin user (which I don't want to use in a zabbix script for
obvious security reasons):
dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";)
dn: cn="o=ipaca",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";)
./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password:
(above command gives incorrect output) =
FreeIPA servers: ns01 ns02 STATE
=========================================
Active Users OK
Stage Users OK
Preserved Users OK
User Groups 67 67 OK
Hosts OK
Host Groups OK
HBAC Rules 16 16 OK
SUDO Rules 11 11 OK
DNS Zones 0 0 OK
Certificates 0 0 OK
LDAP Conflicts NO NO OK
Ghost Replicas ERROR ERROR FAIL
Anonymous BIND OK
Microsoft ADTrust YES YES OK
Replication Status ns02 0 ns01 0
=========================================
(correct output if directory admin is used) =
FreeIPA servers: ns01 ns02 STATE
=========================================
Active Users 192 192 OK
Stage Users 0 0 OK
Preserved Users 0 0 OK
User Groups 67 67 OK
Hosts 45 45 OK
Host Groups 2 2 OK
HBAC Rules 16 16 OK
SUDO Rules 11 11 OK
DNS Zones 6 6 OK
Certificates 155 155 OK
LDAP Conflicts NO NO OK
Ghost Replicas NO NO OK
Anonymous BIND YES YES OK
Microsoft ADTrust YES YES OK
Replication Status ns02 0 ns01 0
=========================================
Would you, or anyone else in the list, be able to tell me what permissions
I should be setting? If I use my own account, I get the same result as the
directory admin.
Sadly, I don't know exact permissions to be used. They need to
be found
out experimentally. This is one of reasons why this script is not a part
of FreeIPA itself -- we wanted to find out a concise set of required
permissions before including it. Unfortunately, in couple years that the
script exists nobody took time to investigate what permissions were
really needed.
--
/ Alexander Bokovoy