On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote:
On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote:
You have to use some identity to bind to LDAP. For example, use your own
user account.
$ ldapsearch -x -H ldap://new.ipa1 \
-D uid=finn,cn=users,cn=accounts,dc=example,dc=com -W \
-b cn=users,cn=accounts,dc=example,dc=com \
'(uid=finn)' memberOf ipasshpubkey
-D option to ldapsearch is providing LDAP DN to bind to
-W option to ldapsearch is saying 'ask for a password'
Perhaps somebody did set up relaxed access controls on your old IPA
servers? It is certainly not what we aim for, especially these days.
That could be.
Has there been any changes to permissions?
IPA memberof access permission was always limited to authenticated LDAP
binds.
The old IPA is running: 4.6.8
The new IPA is running: 4.10.1.
I've also found following on the old IPA:
dn: cn=Anonymous ipaSSHPubKey read,cn=permissions,cn=pbac,dc=example,dc=com
Permission name: Anonymous ipaSSHPubKey read
Granted rights: read
Effective attributes: ipasshpubkey
Included attributes: ipasshpubkey
Bind rule type: anonymous
Subtree: cn=users,cn=accounts,dc=example,dc=com
Raw target filter: (objectclass=posixaccount)
Type: user
Permission flags: SYSTEM, V2
objectclass: top, groupofnames, ipapermission, ipapermissionv2
So this is what somebody (old admin?) addded explicitly.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
