MLWeiner Absent Member.
Absent Member.
643 views

eDirectory LDAP event monitoring permission denied

I'm attempting to use a service account with read-only access to the directory with an application that wants to set up event monitoring to track logon/logoff activity. If I poll the directory, it can see all needed attributes. If I switch it to monitor events, it fails and I can see a permission denied error on setting up event monitoring in the ndstrace log.

I'm guessing there is some ACL or trustee right I can change to allow it to set up event monitoring, but I can't find any documentation on what it is and where. The application vendor is, of course, saying "oh just give global supervisor trustee rights at the root" but I'd much rather not have it using an unbounded admin account just to set up event monitoring.

Any help is much appreciated.

Thanks,
-Matt
Labels (1)
0 Likes
7 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP event monitoring permission denied

What do you mean by "event monitoring"? If you want auditing then
eDirectory has those options, but they send out the events, so there is no
need to specify an account for anything in that case, at least not within
eDirectory itself (vs. Sentinel where the events can be sent).

If you are following any particular docs, perhaps send those. If you are
using something like an LDAP Persistent search then your user will at
least need rights to whatever attributes are changing, but I suppose
eDirectory itself could impose additional requirements on top of those.
Without knowing exactly what you are trying, it's all speculation.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
MLWeiner Absent Member.
Absent Member.

Re: eDirectory LDAP event monitoring permission denied

The problem is, unfortunately, I'm not entirely sure what I'm trying to do either. I'm trying to integrate a third-party product that supposedly "supports eDirectory" but they have no documentation on exactly what they are asking for from the directory services, no documentation on how to set it up, and their support engineer is just telling me "just make a user with supervisor trustees to the tree and there you go!" while also admitting they've never tested it on a deployment with more than one server. It shouldn't need to change anything in the directory. It should just need to read user and group assignments, networkAddress for logged in users, then listen for login and logout events to keep an updated record of who is logged in and to what IP. At least that's theoretically how it works.

They made it sound like it was an LDAP persistent search, which according to the documentation for eDirectory 8.8 (I'm running this product against an OES 2015 SP1 server - https://www.netiq.com/documentation/edir88/edir88/data/agpcvpg.html), should not require special permissions beyond those of the attributes I am trying to look for. However, when I decided to do an ndstrace to see what it's trying to do and why it's failing, I'm seeing an error for "event monitoring extensions - permission denied" which seems to imply it's using the eDirectory LDAP event extensions to listen for login / logout events and that somehow requires special permissions (this is a security appliance that will use user and group assignments and logged in network addresses to set IP acccess policies).

I wish I could be more specific, but I'm thinking I may need to just do a tcpdump on it and see if I can see the exact request(s) it's making as not even the company that made it seems to be sure of what it's doing. They just seem to think "more rights" will solve the problem and while they are likely right, I'm not keen on opening a big hole in my network security to compensate for the matching hole in their documentation and engineering specs. 😞
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP event monitoring permission denied

Be sure you have LDAP tracing enabled fully, as I would think we could get
a bit more out of this, and then post the output. The following commands
will, hopefully, help if executed as 'root' on the OES box:


ldapconfig set 'LDAP Screen Level=all'
ndstrace
set dstrace=nodebug
dstrace +time +tags +ldap
set dstrace=*m9999999
dstrace file on
set dstrace=*r
#perform test here from the application
dstrace file off
quit


Post the (by default) /var/opt/novell/eDirectory/log/ndstrace.log file
contents here for review. We should see the connection, the bind, and
what kind of query is being issued, and then perhaps we can test against
our own machines.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
MLWeiner Absent Member.
Absent Member.

Re: eDirectory LDAP event monitoring permission denied

ab;2464125 wrote:
Be sure you have LDAP tracing enabled fully, as I would think we could get
a bit more out of this, and then post the output. The following commands
will, hopefully, help if executed as 'root' on the OES box:


ldapconfig set 'LDAP Screen Level=all'
ndstrace
set dstrace=nodebug
dstrace +time +tags +ldap
set dstrace=*m9999999
dstrace file on
set dstrace=*r
#perform test here from the application
dstrace file off
quit


Post the (by default) /var/opt/novell/eDirectory/log/ndstrace.log file
contents here for review. We should see the connection, the bind, and
what kind of query is being issued, and then perhaps we can test against
our own machines.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


I didn't get an exact query, it looks like it's asking for the LDAP extension directly. This is what I got out of the trace:

2722039552 LDAP: [2017/08/15 8:27:17.584] (10.6.5.10:38106)(0x0000:0x00) DoTLSHandshake on connection 0x13907500
2722039552 LDAP: [2017/08/15 8:27:17.599] BIO ctrl called with unknown cmd 7
2722039552 LDAP: [2017/08/15 8:27:17.599] (10.6.5.10:38106)(0x0000:0x00) Completed TLS handshake on connection 0x13907500
2691827456 LDAP: [2017/08/15 8:27:17.605] (10.6.5.10:38106)(0x0001:0x60) DoBind on connection 0x13907500
2691827456 LDAP: [2017/08/15 8:27:17.605] (10.6.5.10:38106)(0x0001:0x60) Bind name:cn=xxxx,o=yyyy, version:3, authentication:simple
2691827456 LDAP: [2017/08/15 8:27:17.606] (10.6.5.10:38106)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x13907500
2687616768 LDAP: [2017/08/15 8:27:17.612] (10.6.5.10:38106)(0x0002:0x77) DoExtended on connection 0x13907500
2687616768 LDAP: [2017/08/15 8:27:17.612] (10.6.5.10:38106)(0x0002:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.27.100.79
2687616768 LDAP: [2017/08/15 8:27:17.613] (10.6.5.10:38106)(0x0002:0x77) Monitor events extension: Insufficient Access Rights for the object to monitor the events.
2687616768 LDAP: [2017/08/15 8:27:17.613] (10.6.5.10:38106)(0x0002:0x77) Sending operation result 1:"":"Insufficient access rights to monitor events." to connection 0x13907500
3111597824 LDAP: [2017/08/15 8:27:17.619] (10.6.5.10:38106)(0x0003:0x50) DoAbandon on connection 0x13907500
3111597824 LDAP: [2017/08/15 8:27:17.619] (10.6.5.10:38106)(0x0003:0x50) Abandon could not find operation msgID 2 on connection 0x13907500
3111597824 LDAP: [2017/08/15 8:27:17.619] (10.6.5.10:38106)(0x0004:0x42) DoUnbind on connection 0x13907500
3111597824 LDAP: [2017/08/15 8:27:17.619] Connection 0x13907500 closed
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP event monitoring permission denied

One shortcoming of using extensions is that ndstrace does not trace much
about the requests, which is really annoying when you hit something like
this, though probably not important ultimately.

It kind of looks like they are using a proprietary extension rather than
a typical Persistent Search:

https://www.novell.com/documentation/developer/jldap/jldapenu/data/aep00l3.html

Is it safe to assume you have enabled event monitoring on the box as
mentioned on that page?

This documentation may be what you need to do to enable it, separately
from Persistent Searches also documented on the same page:

https://www.netiq.com/documentation/edir88/edir88/data/agpcvpg.html

As part of the developer kit it looks like this class may be useful to
create code to do this, though I do not see any notes here about permissions:

https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/events/edir/MonitorEventRequest.html

https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/events/edir/MonitorEventResponse.html

Unfortunately a bit of scouring the Internet has not turned up what I
hoped to find in terms of the required permissions. Short of a tree admin
I would probably try granting Read/Compare to [All Attributes Rights] at
the top of the tree Inheritable to see if that does it along with Browse
to [Entry Rights] at the same location. This is basically what is granted
whenever you create a new ACL so it is easy to do in iManager, though you
could do it with LDAP too assuming the user does not already have rights
at the top of the tree, in which case this may conflict:


dn:
changetype: modify
add: acl
acl: 3#subtree#cn=user,ou=goes,o=here#[All Attributes Rights]
acl: 1#subtree#cn=user,ou=goes,o=here#[Entry Rights]


If that does not work, next I would try granting rights to the server
object explicitly, probably Write to ACL or even Supervisor to [Entry
Rights], as sometimes those are used to designate a user as being special.

Alternatively, perhaps open a Service Request (SR) with Micro Focus. I'll
see if I can get something as well.

Another option is to query for something at a level you know your user has
rights and for which is basically public information (Surname, Object
Class, etc.) just to see if something about what you are requesting is
acting up.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
MLWeiner Absent Member.
Absent Member.

Re: eDirectory LDAP event monitoring permission denied

Granting Supervisor to Entry Rights on the server object did it. Tried messing with other options in the trustee rights, but nothing worked except that. No more permission errors! Perhaps there is something tighter buried in there that I could change, but I couldn't find it.

THANK YOU! 😄
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP event monitoring permission denied

On 08/15/2017 10:16 AM, MLWeiner wrote:
>
> Granting Supervisor to Entry Rights on the server object did it. Tried
> messing with other options in the trustee rights, but nothing worked
> except that. No more permission errors! Perhaps there is something
> tighter buried in there that I could change, but I couldn't find it.
>
> THANK YOU! 😄


And to you for posting back your results. This is good information to
have, and now it is out there for others to find. I will see if I get a
response back from engineering confirming that as a requirement, or what
the requirement really is, and try to get a TID published for it. If you
do not hear back from me in a week or two, feel free to nag.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.