> On 16 Nov 2023, at 11:50, John Apple II <jappl...@redhat.com> wrote: > > Hi, William, > > I am working on trying to figure out how to some basic monitoring IdM > Replication with a non-Directory-Manager service-account for some internal > work I do where we use IdM, and I'm trying to work on figuring out how to > create a service-account that will allow some basic monitoring for LDAP > replication between the IdM nodes (hopefully similar to cipa?). > > I've been looking for information all over the web (including this list) for > this for about a month now. If you've made any progress on something similar > related to this, I'd be interested in collaborating. I've come up with a > basic LDIF and some test python code to validate the ACIs for the > service-account, but nothing else as it took me 5 days just to figure out how > to write ACI's. > > In case it can help anyone in the future, my current LDIF follows - the goal > is to individually pull each server's LDAP entries directly (as a start) and > then compare them, but it allows the service-account to access the > replication data in the directory as well as the sysaccounts directory itself. > > > SUFFIX="dc=domain,dc=example,dc=com" > ldif follows: > ---- > dn: uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: replmonitor > userPassword: NOTAREALPASSWORD > passwordExpirationTime: 20381231235959Z > nsIdleTimeout: 0 > > dn: cn=sysaccounts,cn=etc,SUFFIX > changetype: modify > add: aci > aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || > krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || > krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || > enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version > 3.0; acl "allow (compare,read,search) of sysaccounts by replmonitor"; > allow(search,read,compare) userdn = > "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";;) > > dn: cn=config > changetype: modify > add: aci > aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || > krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || > krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || > enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version > 3.0; acl "allow (compare,read,search) of cn=config by replmonitor"; > allow(search,read,compare) userdn = > "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";;)
don't use != rules, they have bypasses allowing full directory data disclosure. See https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/defining_targets Generally to monitor replication you should look at the replication monitoring tools from the 389 project in dsconf (I think). -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
