# Context: ## Goal I eventually want to have a sysaccount with readonly access to a number of attributes in our FreeIPA deployment, which will be used by verification scripts in a scheduled pipeline that will prove certain accounts exist or do no exist. One of those checks is making sure that all the "sysaccounts" are expected (no extras), so I'll want a sysaccount that can list the other sysaccounts.
## Related posts and resources I've already seen some related posts, but I am still experiencing issues that I do not understand at this time: - "Allow sysaccount to view its own entry" : https://lists.fedorahosted.org/archives/list/[email protected]/thread/2V3LUZ7DAGASSZUZDJ7ZIWQZ3DO5DN23/#2V3LUZ7DAGASSZUZDJ7ZIWQZ3DO5DN23 - Probably the closest to my eventual goal, but I want a sysaccount that can get a list of other sysaccounts - FreeIPA Docs > LDAP > System Accounts : https://www.freeipa.org/page/HowTo/LDAP#system-accounts - I have created a number of accounts using the method listed here. These accounts are already in use and enable some of our internally deployed services to authenticate users via LDAP. - "Grant extra permissions to System Accounts" : https://lists.fedorahosted.org/archives/list/[email protected]/thread/IIWJ4O3TI44Q7QB4MYRLUCXERWTHFXG3/ - mainly relevant because my underlying goal is to have a sysaccount that can read the attributes and sysaccount memberships cannot be managed through the web interface. - Documentation on ACIs: https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/managing_access_control/assembly_managing-access-control-instructions_managing-access-control#con_aci-placement_assembly_managing-access-control-instructions - I only recently found out about ACIs and was previously only aware of the "Permissions/Privileges/Roles" aspect seen in the FreeIPA web UI. From testing, my understanding is that permissions are 1-to-1 with ACIs, though they get two entries: an LDAP entry under "cn=permissions,cn=pbac,..." and then a corresponding ACI attribute on the referenced LDAP entry. ## Technical - IPA version 4.12.2 - viewing of underlying LDAP is being done through a locally run instance of "phpLDAPadmin" - https://github.com/osixia/docker-phpLDAPadmin ## Personal I'm not an LDAP expert and have been trying to understand the various search and filter patterns from examples online, but it's quite likely I am messing up something in the syntax, or not correctly understanding the LDAP structure. Where possible I've tried to model my attempts on existing records or documentation (such as trying to match the created permission looks similar in LDAP to the `System: Read User Kerberos Login Attributes` permission) # Specific confusion I have been unable to get an ACI that allows a non-admin the ability to see the children of the "cn=sysaccounts,cn=etc,..." sub tree. My current test setup is: - My own admin user account (rael) - I am using this to read LDAP attributes and verify the data present, as well as edit permissions/privileges/roles in the web interface - A simple user account (rael_test) - Is a posix account - is a member of a fresh "FreeIPA State Verifier" role - "FreeIPA State Verifier" role has the privilege "testPriv", which has the permission "testPermission" (names adjusted to remove internal ticket information) - "testPermission" is configured to grant "read", "search" and "compare" rights - target subtree: `cn=sysaccounts,cn=etc,...` - extra target filter: `(objectclass=simplesecurityobject)` - I have also tried this with more permissive options, like `(objectclass=account)` or `(objectclass=*)` - effective attributes: `description`, `uid`, `dn` With this setup, the `rael_test` account is still unable to see any of the system accounts that have been created under "cn=sysaccounts,cn=etc,...". What is the reason for this? Why can't the `rael_test` account list the existing accounts that exist under the "cn=sysaccounts,cn=etc,..." tree? ## Details The relevant ACI on `cn=sysaccounts,cn=etc,dc=ghs,dc=nl`: ```ini aci: (targetattr = "description || dn || uid") (targetfilter = "(objectClass=simplesecurityobject)") (version 3.0;acl "permission:testPerm";allow (compare,read,search) groupdn = "ldap:///cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl";;) ``` Permission LDIFF: ```ini version: 1 # Entry 1: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,d... dn: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl cn: testPerm ipapermbindruletype: permission ipapermincludedattr: uid ipapermincludedattr: description ipapermincludedattr: dn ipapermissiontype: SYSTEM ipapermissiontype: V2 ipapermlocation: cn=sysaccounts,cn=etc,dc=ghs,dc=nl ipapermright: read ipapermright: search ipapermright: compare ipapermtargetfilter: (objectclass=simplesecurityobject) member: cn=testPriv,cn=privileges,cn=pbac,dc=ghs,dc=nl objectclass: top objectclass: groupofnames objectclass: ipapermission objectclass: ipapermissionv2 ``` `rael_test` account permissions: ```ini version: 1 # Entry 1: uid=rael_test,cn=users,cn=accounts,dc=ghs,dc=nl dn: uid=rael_test,cn=users,cn=accounts,dc=ghs,dc=nl cn: rael user_level displayname: rael user_level gecos: rael user_level gidnumber: 62018 givenname: rael homedirectory: /home/rael_test loginshell: /bin/bash mail: [email protected] memberof: cn=ipausers,cn=groups,cn=accounts,dc=ghs,dc=nl memberof: cn=emea_users,cn=groups,cn=accounts,dc=ghs,dc=nl memberof: ipaUniqueID=da7a1b20-e360-11e8-8530-64006a50df1b,cn=hbac,... memberof: ipaUniqueID=ddb2cb20-e360-11e8-9400-64006a50df1b,cn=hbac,... memberof: ipaUniqueID=de9d0a8c-e360-11e8-9d46-64006a50df1b,cn=hbac,... memberof: ipaUniqueID=e03af1b0-e360-11e8-b7e1-64006a50df1b,cn=hbac,... memberof: ipaUniqueID=a1ac6390-ffb4-11e9-9e0a-1866da6daa3e,cn=hbac,... memberof: cn=workstation_users,cn=groups,cn=accounts,dc=ghs,dc=nl memberof: cn=FreeIPA State Verifier,cn=roles,cn=accounts,dc=ghs,dc=nl memberof: cn=testPriv,cn=privileges,cn=pbac,dc=ghs,dc=nl memberof: cn=testPerm,cn=permissions,cn=pbac,dc=ghs,dc=nl memberof: ipaUniqueID=a09b5cf0-b9db-11ee-8c88-509a4c9d3b10,cn=sudorules,cn=sudo,dc=ghs,dc=nl mepmanagedentry: cn=rael_test,cn=groups,cn=accounts,dc=ghs,dc=nl objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry objectclass: ipantuserattrs sn: user_level uid: rael_test uidnumber: 62018 ``` Please let me know if more information is needed. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
