Highlighted
Absent Member.
Absent Member.
261 views

Trustee Reporting


Have had several clients looking for a method to report any entries with
"Elevated" permissions within eDirectory.

Of course this is from LDAP and no one has the Novell client installed.

Are there any products available to perform such reports?

Are there others that are looking for a solutions?

I created a Java program that will evaluate ACLs, but it is cumbersome
as you must pull in all the ACLs and then figure out what those leading
bits represent and then determine the trustee and then elaborate the
members of the trustee (ie if it is a group or org role).

From what I can tell ACL are not searchable from LDAP. So there is no
method to do an LDAP query for anyone with supervisor access to any
entry.
Or am I missing something?

Ideas or suggestions?

Thanks
-jim


--
jwilleke
------------------------------------------------------------------------
jwilleke's Profile: https://forums.netiq.com/member.php?userid=401
View this thread: https://forums.netiq.com/showthread.php?t=50921

Labels (1)
0 Likes
5 Replies
Highlighted
Absent Member.
Absent Member.

Re: Trustee Reporting

I'll bet Peter chimes in with something about the DreamLAN product that
does reporting, but I've never used that and am not sure if it uses LDAP
or not.

Years ago I tried creating something similar to your Java-based program
but eventually gave up because I didn't know enough then. Besides
handling the ACL values which are complex when factoring in inheritance,
there are also things like securityEquals that could complicate matters
significantly, particularly when factoring in all of the ways those can be
set from org roles, groups of various types, etc.

While reading your post something came to mind that could perhaps be
useful; when the IDM User Application is running it does a bunch of checks
for a logged-in user to see what rights they have which I've only recently
learned. As I recall one of the times it happens is when a user tries to
edit another user in the Detail Portlet; maybe it also happens as the
UserApp tries to figure out which PRDs to display to the logged-in user.
Either way, it does so using an LDAP Control to get effective privileges
of the trustee in a way that just comes back Yea or Nay. Some notes from
my recent investigation that are probably more than you need:

javac -cp
../novell-jldap-devel-2013.08.30.1433-xplat/lib/ldap.jar:./novell-jldap-devel-2013.08.30.1433-xplat/lib/utilities.jar
../GetEffectivePrivileges.java

java -cp
../:./novell-jldap-devel-2013.08.30.1433-xplat/lib/ldap.jar:./novell-jldap-devel-2013.08.30.1433-xplat/lib/utilities.jar
GetEffectivePrivileges server.goes.here 389 cn=admin,dc=sa,dc=system
'novell' 'cn=testedUser,ou=users,o=top' 'cn=admin,dc=sa,dc=system'

<quote source="ndstrace" testcase="validAttribute" attrname="acl">
2353719040 LDAP: [2014/02/13 9:34:53.213] New cleartext connection
0x106fee00 from 172.30.51.30:44998, monitor = 0x7248b700, index = 4
1808398080 LDAP: [2014/02/13 9:34:53.302]
(172.30.51.30:44998)(0x0001:0x60) DoBind on connection 0x106fee00
1808398080 LDAP: [2014/02/13 9:34:53.302]
(172.30.51.30:44998)(0x0001:0x60) Bind name:cn=admin,ou=sa,o=system
version:3, authentication:simple
1808398080 LDAP: [2014/02/13 9:34:53.306]
(172.30.51.30:44998)(0x0001:0x60) Sending operation result 0:"":"" to
connection 0x106fee00
1918420736 LDAP: [2014/02/13 9:34:53.561]
(172.30.51.30:44998)(0x0002:0x77) DoExtended on connection 0x106fee00
1918420736 LDAP: [2014/02/13 9:34:53.561]
(172.30.51.30:44998)(0x0002:0x77) DoExtended: Extension Request OID:
2.16.840.1.113719.1.27.100.33
1918420736 LDAP: [2014/02/13 9:34:53.567]
(172.30.51.30:44998)(0x0002:0x77) Sending operation result 0:"":"" to
connection 0x106fee00
1799841536 LDAP: [2014/02/13 9:34:53.652]
(172.30.51.30:44998)(0x0003:0x42) DoUnbind on connection 0x106fee00
1799841536 LDAP: [2014/02/13 9:34:53.652] Connection 0x106fee00 closed
</quote>

Perhaps you can use this call to do some quick checks letting eDirectory
do all of the rights calculations. I think the downside for this is you
still need to point to a specific trustee and ask, "Does it have rights?"
but I am not sure there's going to be much of a way around that other than
getting low-hanging fruit by looking for specific ACLs as you already are
that will get you most things but not all, or writing something that
handles all ACL calculations just like eDirectory which is a big task.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Trustee Reporting


Hello,

I am interested on this subject and I would like to raise a question.
There are any attribute that I could map through LDAP to export trustees
information?
I tried ACL one, but didn't get some users/groups direct assignments,
most of all there I got are related to RBS assignment.

Thanks

Emerson


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=50921

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Trustee Reporting


> but didn't get some users/groups direct assignments


You saying you get SOME but not SOME others?


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=50921

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Trustee Reporting

On Fri, 23 May 2014 21:24:02 +0000, emerson infosys wrote:

> Hello,
>
> I am interested on this subject and I would like to raise a question.
> There are any attribute that I could map through LDAP to export trustees
> information?
> I tried ACL one, but didn't get some users/groups direct assignments,
> most of all there I got are related to RBS assignment.


ACL is the attribute to export. Then you have to interpret inheritance,
and calculate security equivalence.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Trustee Reporting


'Faid don't have much to add at this time. Though I have something I use
internally but its not anything that I am real "happy" with (read,
solid) nor ready to publish at this time. As you said, its a fairly
complicated matter and every time I look, I find something new I may
have missed or double-counted, etc.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=50921

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.