> On 16 Nov 2023, at 11:50, John Apple II <jappleii@xxxxxxxxxx> wrote: > > Hi, William, > > I am working on trying to figure out how to some basic monitoring IdM Replication with a non-Directory-Manager service-account for some internal work I do where we use IdM, and I'm trying to work on figuring out how to create a service-account that will allow some basic monitoring for LDAP replication between the IdM nodes (hopefully similar to cipa?). > > I've been looking for information all over the web (including this list) for this for about a month now. If you've made any progress on something similar related to this, I'd be interested in collaborating. I've come up with a basic LDIF and some test python code to validate the ACIs for the service-account, but nothing else as it took me 5 days just to figure out how to write ACI's. > > In case it can help anyone in the future, my current LDIF follows - the goal is to individually pull each server's LDAP entries directly (as a start) and then compare them, but it allows the service-account to access the replication data in the directory as well as the sysaccounts directory itself. > > > SUFFIX="dc=domain,dc=example,dc=com" > ldif follows: > ---- > dn: uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: replmonitor > userPassword: NOTAREALPASSWORD > passwordExpirationTime: 20381231235959Z > nsIdleTimeout: 0 > > dn: cn=sysaccounts,cn=etc,SUFFIX > changetype: modify > add: aci > aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version 3.0; acl "allow (compare,read,search) of sysaccounts by replmonitor"; allow(search,read,compare) userdn = "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";;) > > dn: cn=config > changetype: modify > add: aci > aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUniqueId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation || aci || member") (version 3.0; acl "allow (compare,read,search) of cn=config by replmonitor"; allow(search,read,compare) userdn = "ldap:///uid=replmonitor,cn=sysaccounts,cn=etc,SUFFIX";;) don't use != rules, they have bypasses allowing full directory data disclosure. See https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/defining_targets Generally to monitor replication you should look at the replication monitoring tools from the 389 project in dsconf (I think). -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
