Non-Default Root Administrator without bypass-acl

This topic contains 10 replies, has 3 voices, and was last updated by  udbolla 1 week, 1 day ago.

  • Author
    Posts
  • #19570
     rezaansyed 
    Participant

    Hello,

    I am trying to create a non-default root administrator in addition to the “cn=Directory Manager” that already exists. However for this new admin, I want to remove bypass-acl, modify-acl and privilege-change privileges. When I do so through ldapmodify, it tells me that the operation succeeded. But when I check the DN properties through running get-root-dn-prop, I get the following exception:

    The version of the installed OpenDJ could not be determined because an error
    occurred while reading the current configuration: NullPointerException
    (BuildVersion.java:79 BuildVersion.java:94
    LdapManagementContextFactory.java:98 GetPropSubCommandHandler.java:202
    DsConfig.java:729 DsConfig.java:600 DsConfig.java:313 DsConfig.java:280)

    I followed the OpenDJ 5.0 Security Guide to create the new administrator and limit privileges. But this issue prevents me from being able to add entries as the root user. Is there a better way of doing this?

    #19571
     Michelle Reagin 
    Participant

    Have you tried viewing the new admin directly with ldapsearch?

    https://backstage.forgerock.com/docs/ds/5.5/reference/#ldapsearch-1

    When you specify the attributes to return, you can just use the following to return all operational attributes: “+”

    #19573
     rezaansyed 
    Participant

    Yes I have and I see the following output:
    config” -s sub “cn=Alternate DM”
    dn: cn=Alternate DM,cn=Root DNs,cn=config
    objectClass: ds-cfg-root-dn-user
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    sn: Administrator
    cn: Alternate DM
    givenName: Backup
    ds-cfg-alternate-bind-dn: cn=Alternate DM

    But nothing to indicate what privileges it has.

    #19574
     rezaansyed 
    Participant

    Sorry I forgot to add the “+” attribute in the previous one. Here is the updated output.

    dn: cn=Alternate DM,cn=Root DNs,cn=config
    ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
    etag: 00000000bfaefafe
    ds-rlim-lookthrough-limit: 0
    ds-rlim-idle-time-limit: 0
    ds-privilege-name: -password-reset
    ds-privilege-name: -bypass-acl
    ds-privilege-name: -privilege-change
    creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
    modifyTimestamp: 20171113210703Z
    entryDN: cn=Alternate DM,cn=Root DNs,cn=config
    ds-rlim-time-limit: 0
    modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
    ds-rlim-size-limit: 0
    entryUUID: 27db6a1b-d17e-405c-a48c-7028905545af
    hasSubordinates: false
    pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config
    createTimestamp: 20171113205612Z
    structuralObjectClass: inetOrgPerson
    pwdChangedTime: 20171113205612.791Z
    subschemaSubentry: cn=schema
    numSubordinates: 0

    I tried creating a new entry and am getting:
    The LDAP modify request failed: 50 (Insufficient Access Rights)

    #19575
     Michelle Reagin 
    Participant

    Get-root-dn-prop is looking at the default root user privileges, not the non-default . I’m not certain why it is throwing that error for you. You may want to check dn: “cn=Root DNs,cn=config” to ensure it has all of the privileges still set.

    Thank you for posting the LDIF. That helps a lot. Remove the leading – from the attribute values. It should be as follows:
    ds-privilege-name: password-reset
    ds-privilege-name: bypass-acl
    ds-privilege-name: privilege-change

    #19576
     rezaansyed 
    Participant

    So I am trying to use the non-default admin to be able to do everything that the default admin can do except bypass-acl, modify-acl and privilege-change. I checked the “cn=Root DNs,cn=config” and ensured that the default privileges are still there. The issue here is not being able to do commands such as ldapmodify after removing the privileges mentioned for the non-default admin. Following the docs (https://backstage.forgerock.com/docs/ds/5/security-guide/#limit-privileges) I used the following ldif:

    dn: cn=Alternate DM,cn=Root DNs,cn=config
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: -bypass-acl
    ds-privilege-name: -modify-acl
    ds-privilege-name: -privilege-change

    This shouldnt be affecting ldap operations. It only doesnt allow the admin to modify ACIs and change privileges for other users. Do you know how I can remove these without affecting operations like ldapmodify?

    #19578
     Michelle Reagin 
    Participant

    Ah, that’s what I get for multitasking while answering forum posts!

    So, yes, using – as a prefix to remove a default privilege is fine and works as documented. However, notice that you have removed “bypass-acl”. At this moment it has the same rights as any random normal user in your Directory Server, which is little to nothing depending on your server’s ACL. You’ll need to create one or more ACIs to allow the account to do the things you want it to do if you want to keep it from bypassing ACLs.

    If you do not want to create ACIs granting the alternate DM user the access it needs, then allow the account the bypass-acl privilege. Note that the ldapmodify command will continue to prevent the modifying acls and changing of privileges since you have removed those privileges from the alternate DM user.

    #19586
     rezaansyed 
    Participant

    Thanks Michelle! I know that ldapmodify won’t be able to modify acls or change privileges as that was the intention. However, I’m not quite sure which ACIs to create in order to allow read/write of the LDAP directory but still keeping it from bypassing ACLs. Could you point me in the right direction with regards to that?

    #19592
     Michelle Reagin 
    Participant

    ACI is a very complex topic and takes quite a bit of time and work to understand and compose well.

    The first question to ask when you need a new ACI is, “What am I trying to accomplish?”

    If your answer is that you want the Alternate DM user to be able to do anything the Directory Manager can do with ldapmodify, then you don’t need a new ACI. Just allow it to bypass ACLs.

    However, if your answer is that you want it to be able to modify only a certain subset of your entries and perhaps only a particular subset of attributes used in those entries, then leave Alternate DM user as is (not able to bypass ACLs) and create an ACI that gives it exactly the access it needs.

    Some pages that can help you with writing ACIs are:
    http://www.identityfusion.com/opendj-access-control-explained/
    https://backstage.forgerock.com/docs/ds/5.5/admin-guide/#chap-privileges-acis
    https://backstage.forgerock.com/docs/ds/5.5/security-guide/#access-acis

    #20590
     rezaansyed 
    Participant

    ./dsconfig set-access-control-handler-prop --add global-aci:'(target="ldap:///dc=example,dc=com")(targetattr = "*")(targetscope = "subtree")(version 3.0;acl "Anonymous allow ldap modify access"; allow(read, write, search, compare, delete, export, import)(userdn = "ldap:///cn=Fourth Admin,cn=Root DNs,cn=config");)' --port 4444 --bindDN "cn=Directory Manager" --bindPassword secretpassword --trustAlln

    So I tried adding this ACI which should allow the new DN (cn=Fourth Admin,cn=Root DNs,cn=config) to be able to do read and writes on the entire hierarchy (dc=example,dc=com). However, after trying a couple of times I haven’t been able to get it to work and the new admin still has insufficient access rights. Do you know what I may have done wrong here?

    #25793
     udbolla 
    Participant

    we are facing same issue, what was the resolution ?

    Thanks
    Uma

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?