Rael S-R via FreeIPA-users wrote: > # Context: > > ## Goal > I eventually want to have a sysaccount with readonly access to a number of > attributes in our FreeIPA deployment, which will be used by verification > scripts in a scheduled pipeline that will prove certain accounts exist or do > no exist. One of those checks is making sure that all the "sysaccounts" are > expected (no extras), so I'll want a sysaccount that can list the other > sysaccounts. > > ## Related posts and resources > I've already seen some related posts, but I am still experiencing issues that > I do not understand at this time: > - "Allow sysaccount to view its own entry" : > https://lists.fedorahosted.org/archives/list/[email protected]/thread/2V3LUZ7DAGASSZUZDJ7ZIWQZ3DO5DN23/#2V3LUZ7DAGASSZUZDJ7ZIWQZ3DO5DN23 > - Probably the closest to my eventual goal, but I want a sysaccount that > can get a list of other sysaccounts > - FreeIPA Docs > LDAP > System Accounts : > https://www.freeipa.org/page/HowTo/LDAP#system-accounts > - I have created a number of accounts using the method listed here. These > accounts are already in use and enable some of our internally deployed > services to authenticate users via LDAP. > - "Grant extra permissions to System Accounts" : > https://lists.fedorahosted.org/archives/list/[email protected]/thread/IIWJ4O3TI44Q7QB4MYRLUCXERWTHFXG3/ > - mainly relevant because my underlying goal is to have a sysaccount that > can read the attributes and sysaccount memberships cannot be managed through > the web interface. > - Documentation on ACIs: > https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/managing_access_control/assembly_managing-access-control-instructions_managing-access-control#con_aci-placement_assembly_managing-access-control-instructions > - I only recently found out about ACIs and was previously only aware of the > "Permissions/Privileges/Roles" aspect seen in the FreeIPA web UI. From > testing, my understanding is that permissions are 1-to-1 with ACIs, though > they get two entries: an LDAP entry under "cn=permissions,cn=pbac,..." and > then a corresponding ACI attribute on the referenced LDAP entry. > > ## Technical > - IPA version 4.12.2 > - viewing of underlying LDAP is being done through a locally run instance of > "phpLDAPadmin" > - https://github.com/osixia/docker-phpLDAPadmin > > ## Personal > I'm not an LDAP expert and have been trying to understand the various search > and filter patterns from examples online, but it's quite likely I am messing > up something in the syntax, or not correctly understanding the LDAP > structure. Where possible I've tried to model my attempts on existing records > or documentation (such as trying to match the created permission looks > similar in LDAP to the `System: Read User Kerberos Login Attributes` > permission) > > # Specific confusion > > I have been unable to get an ACI that allows a non-admin the ability to see > the children of the "cn=sysaccounts,cn=etc,..." sub tree. > My current test setup is: > - My own admin user account (rael) > - I am using this to read LDAP attributes and verify the data present, as > well as edit permissions/privileges/roles in the web interface > - A simple user account (rael_test) > - Is a posix account > - is a member of a fresh "FreeIPA State Verifier" role > - "FreeIPA State Verifier" role has the privilege "testPriv", which has the > permission "testPermission" (names adjusted to remove internal ticket > information) > - "testPermission" is configured to grant "read", "search" and "compare" > rights > - target subtree: `cn=sysaccounts,cn=etc,...` > - extra target filter: `(objectclass=simplesecurityobject)` > - I have also tried this with more permissive options, like > `(objectclass=account)` or `(objectclass=*)` > - effective attributes: `description`, `uid`, `dn` > > With this setup, the `rael_test` account is still unable to see any of the > system accounts that have been created under "cn=sysaccounts,cn=etc,...". > What is the reason for this? > Why can't the `rael_test` account list the existing accounts that exist under > the "cn=sysaccounts,cn=etc,..." tree? > > ## Details > The relevant ACI on `cn=sysaccounts,cn=etc,dc=ghs,dc=nl`: > ```ini > aci: > (targetattr = "description || dn || uid") > (targetfilter = "(objectClass=simplesecurityobject)") > (version 3.0;acl "permission:testPerm";allow (compare,read,search) > groupdn = "ldap:///cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl";;) > ``` > > Permission LDIFF: > ```ini > version: 1 > > # Entry 1: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,d... > dn: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl > cn: testPerm > ipapermbindruletype: permission > ipapermincludedattr: uid > ipapermincludedattr: description > ipapermincludedattr: dn > ipapermissiontype: SYSTEM > ipapermissiontype: V2 > ipapermlocation: cn=sysaccounts,cn=etc,dc=ghs,dc=nl > ipapermright: read > ipapermright: search > ipapermright: compare > ipapermtargetfilter: (objectclass=simplesecurityobject) > member: cn=testPriv,cn=privileges,cn=pbac,dc=ghs,dc=nl > objectclass: top > objectclass: groupofnames > objectclass: ipapermission > objectclass: ipapermissionv2 > ``` > > > `rael_test` account permissions: > ```ini > version: 1 > > # Entry 1: uid=rael_test,cn=users,cn=accounts,dc=ghs,dc=nl > dn: uid=rael_test,cn=users,cn=accounts,dc=ghs,dc=nl > cn: rael user_level > displayname: rael user_level > gecos: rael user_level > gidnumber: 62018 > givenname: rael > homedirectory: /home/rael_test > loginshell: /bin/bash > mail: [email protected] > memberof: cn=ipausers,cn=groups,cn=accounts,dc=ghs,dc=nl > memberof: cn=emea_users,cn=groups,cn=accounts,dc=ghs,dc=nl > memberof: ipaUniqueID=da7a1b20-e360-11e8-8530-64006a50df1b,cn=hbac,... > memberof: ipaUniqueID=ddb2cb20-e360-11e8-9400-64006a50df1b,cn=hbac,... > memberof: ipaUniqueID=de9d0a8c-e360-11e8-9d46-64006a50df1b,cn=hbac,... > memberof: ipaUniqueID=e03af1b0-e360-11e8-b7e1-64006a50df1b,cn=hbac,... > memberof: ipaUniqueID=a1ac6390-ffb4-11e9-9e0a-1866da6daa3e,cn=hbac,... > memberof: cn=workstation_users,cn=groups,cn=accounts,dc=ghs,dc=nl > memberof: cn=FreeIPA State Verifier,cn=roles,cn=accounts,dc=ghs,dc=nl > memberof: cn=testPriv,cn=privileges,cn=pbac,dc=ghs,dc=nl > memberof: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl > memberof: > ipaUniqueID=a09b5cf0-b9db-11ee-8c88-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl > mepmanagedentry: cn=rael_test,cn=groups,cn=accounts,dc=ghs,dc=nl > objectclass: top > objectclass: person > objectclass: organizationalperson > objectclass: inetorgperson > objectclass: inetuser > objectclass: posixaccount > objectclass: krbprincipalaux > objectclass: krbticketpolicyaux > objectclass: ipaobject > objectclass: ipasshuser > objectclass: ipaSshGroupOfPubKeys > objectclass: mepOriginEntry > objectclass: ipantuserattrs > sn: user_level > uid: rael_test > uidnumber: 62018 > ``` > > > > Please let me know if more information is needed. >
Try adding objectclass to the set of allowed read attributes. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
