[Freeipa-devel] LDAP ACI testing
Rob Crittenden
rcritten at redhat.com
Mon Mar 31 13:23:20 UTC 2014
Petr Spacek wrote:
> Hello list,
>
> thread "[Freeipa-devel] Read access to container entries" reminds me an
> idea I have in mind for a while:
>
> We could check effective ACIs [1] for interesting objects (Kerberos
> master key, trust objects etc.) and make sure that there is nothing like
> 'read by anonymous' etc.
>
> Method [1] has one important limitation: It checks ACI in given sub-tree
> against one specified DN.
>
> Realization of my idea would be better with a "reverse" approach:
> Specify DN of a single object as "target" and get list of all users with
> non-null access rights for the object in question. (This could be
> refined with filter for specific rights so we can get "list of DNs
> allowed to write to this object" etc.)
>
>
> Does it make sense?
>
>
>
> [1]
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
Maybe. We've had a long-term need to run the unit tests as various other
users to avoid delegation regressions. We really should have some subset
of tests to do positive and negative testing of each role. We'd probably
want to do these tests directly with the framework.
Ideally this could be extended to disabling anonymous access, setting
minimum SSF, etc. This could probably be mostly done using GER.
rob
More information about the Freeipa-devel
mailing list