[Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com

[Alexander Bokovoy]

On Mon, 18 Feb 2013, Rob Crittenden wrote:
>Petr Spacek wrote:
>>On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote:
>>>Please guide us about the LDAP user
>>>"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com".
>>>Does it has a read only access or read-write access to the
>>>"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ?
>>>Because the file /etc/ldap.conf is readable by all the users, so I am
>>>concerned about the security.
>>
>>You can get effective access rights for any DN:
>>
>>Command example:
>>/usr/lib64/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389
>>-h server.example.com -b "dc=example,dc=com" -s sub -J
>>1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
>>"(objectclass=*)"
>>
>>Example was taken from section 8.4.11:
>>https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html
>>
>>
>>Effective access rights description:
>>https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
>>
>>
>
>You need the ldapsearch from mozldap-tools for this to work.
>
>The user has read-only access to the tree but it has write access to 
>itself (via the self-service rule).
You can use ldapsearch from openldap too:
$ ldapsearch -D cn=directory\ manager -w XXXXX -b cn=sysaccounts,cn=etc,dc=ipa,dc=team -s sub -E 1.3.6.1.4.1.42.2.27.9.5.2 uid=sudo
# extended LDIF
#
# LDAPv3
# base <cn=sysaccounts,cn=etc,dc=ipa,dc=team> with scope subtree
# filter: uid=sudo
# requesting: ALL
#

# sudo, sysaccounts, etc, ipa.team
dn: uid=sudo,cn=sysaccounts,cn=etc,dc=ipa,dc=team
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: sudo
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXX
entryLevelRights: 21
attributeLevelRights: *:21


-- 
/ Alexander Bokovoy