[Freeipa-devel] LDAP ACI testing
Petr Spacek
pspacek at redhat.com
Mon Mar 31 12:59:34 UTC 2014
Hello list,
thread "[Freeipa-devel] Read access to container entries" reminds me an idea I
have in mind for a while:
We could check effective ACIs [1] for interesting objects (Kerberos master
key, trust objects etc.) and make sure that there is nothing like 'read by
anonymous' etc.
Method [1] has one important limitation: It checks ACI in given sub-tree
against one specified DN.
Realization of my idea would be better with a "reverse" approach: Specify DN
of a single object as "target" and get list of all users with non-null access
rights for the object in question. (This could be refined with filter for
specific rights so we can get "list of DNs allowed to write to this object" etc.)
Does it make sense?
[1]
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list