Wednesday, November 15, 2023

[389-users] Re: Documentation as to how replication works

> On 16 Nov 2023, at 11:50, John Apple II <jappleii@redhat.com> wrote:
>
> Hi, William,
>
> I am working on trying to figure out how to some basic monitoring IdM Replication with a non-Directory-Manager service-account for some internal work I do where we use IdM, and I'm trying to work on figuring out how to create a service-account that will allow some basic monitoring for LDAP replication between the IdM nodes (hopefully similar to cipa?).
>
> I've been looking for information all over the web (including this list) for this for about a month now. If you've made any progress on something similar related to this, I'd be interested in collaborating. I've come up with a basic LDIF and some test python code to validate the ACIs for the service-account, but nothing else as it took me 5 days just to figure out how to write ACI's.
>
> In case it can help anyone in the future, my current LDIF follows - the goal is to individually pull each server's LDAP entries directly (as a start) and then compare them, but it allows the service-account to access the replication data in the directory as well as the sysaccounts directory itself.
>
>
> SUFFIX="dc=domain,dc=example,dc=com"
> ldif follows:
> ----
> dn: uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: replmonitor
> userPassword: NOTAREALPASSWORD
> passwordExpirationTime: 20381231235959Z
> nsIdleTimeout: 0
>
> dn: cn=sysaccounts,cn=etc,SUFFIX
> changetype: modify
> add: aci
> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version 3.0; acl "allow (compare,read,search) of sysaccounts by replmonitor"; allow(search,read,compare) userdn = "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";)
>
> dn: cn=config
> changetype: modify
> add: aci
> aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version 3.0; acl "allow (compare,read,search) of cn=config by replmonitor"; allow(search,read,compare) userdn = "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";)

don't use != rules, they have bypasses allowing full directory data disclosure. See https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/defining_targets


Generally to monitor replication you should look at the replication monitoring tools from the 389 project in dsconf (I think).


--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment