[Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com
Rob Crittenden
rcritten at redhat.com
Mon Feb 18 14:47:55 UTC 2013
Petr Spacek wrote:
> On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
>> Please guide us about the LDAP user
>> "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com".
>> Does it has a read only access or read-write access to the
>> "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
>> Because the file /etc/ldap.conf is readable by all the users, so I am
>> concerned about the security.
>
> You can get effective access rights for any DN:
>
> Command example:
> /usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
> -h server.example.com -b "dc=example,dc=com" -s sub -J
> 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
> "(objectclass=*)"
>
> Example was taken from section 8.4.11:
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html
>
>
> Effective access rights description:
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
>
>
You need the ldapsearch from mozldap-tools for this to work.
The user has read-only access to the tree but it has write access to
itself (via the self-service rule).
rob
More information about the Freeipa-users
mailing list