I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Many Thanks,
Adam Bishop
On 1/24/19 4:17 PM, Adam Bishop via FreeIPA-users wrote:
I have a piece of software that tries to look up its own uid to check that LDAP is correctly configured.
This check fails because the sysaccount cannot view anything under cn=etc,cn=sysaccounts.
Is there an existing permission/privilege that I can use to allow it to read the sysaccounts tree (or better, just its own entry)?
Hi Adam,
I did not find any existing permission allowing that. You will need to either write your own permission, or directly a new ACI in 389-ds.
You need first to find the exact LDAP operations that the software is doing (for instance a search with base=xx and filter=yy requesting attributes zz). The attributes used in the filter have to be readable by the user performing the search, as well as the attributes requested. If the user is performing a search on its own entry, it is possible to use the ldap:///self bind rule in the ACI.
Please find more info re. 389-ds Access Control in [1].
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
Many Thanks,
Adam Bishop _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
In case anyone was ever looking this up (as I have recently), I managed to figure out a sysaccounts bind entry access as per above using the following LDIF (assuming you don't want the sysaccount reading things like userPassword or other secrets):
Replace $SUFFIX with your domain config (i.e. "dc=site,dc=example,dc=com") Replace $MYSERVICEACCOUNT with your account's uid
"MYSERVICEACCOUNT_ACI.ldif" ------ dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation") (version 3.0; acl "allow (compare,read,search) of sysaccounts by $MYSERVICEACCOUNT"; allow(search,read,compare) userdn = "ldap:///uid=$MYSERVICEACCOUNT,cn=sysaccounts,cn=etc,$SUFFIX";) ------
Apply with ldapmodify: ------ ldapmodify -x -D "cn=Directory Manager" -W -h `hostname` -f MYSERVICEACCOUNT_ACI.ldif ------
John Phillip Apple II via FreeIPA-users wrote:
In case anyone was ever looking this up (as I have recently), I managed to figure out a sysaccounts bind entry access as per above using the following LDIF (assuming you don't want the sysaccount reading things like userPassword or other secrets):
Replace $SUFFIX with your domain config (i.e. "dc=site,dc=example,dc=com") Replace $MYSERVICEACCOUNT with your account's uid
"MYSERVICEACCOUNT_ACI.ldif"
dn: cn=sysaccounts,cn=etc,$SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation") (version 3.0; acl "allow (compare,read,search) of sysaccounts by $MYSERVICEACCOUNT"; allow(search,read,compare) userdn = "ldap:///uid=$MYSERVICEACCOUNT,cn=sysaccounts,cn=etc,$SUFFIX";)
Apply with ldapmodify:
ldapmodify -x -D "cn=Directory Manager" -W -h `hostname` -f MYSERVICEACCOUNT_ACI.ldif
I think rather than listing the attributes that are not allowed I'd list the attributes that are. Something like (untested):
aci: (targetfilter = "(objectClass=account)")(targetattrs = "objectclass || uid || passwordExpirationTime")(version 3.0; acl "Read $MYSERVICEACCOUNT sysaccount"; allow (read, search, compare) userdn = ldap:///uid=$MYSERVICEACCOUNT,cn=sysaccounts,cn=etc,$SUFFIX;)
rob
freeipa-users@lists.fedorahosted.org