eDirectory Object ACL and Class Analysis



By: ChrisRandles

April 3, 2009 5:47 pm

Reads: 327

License:
Free

Download ACL_Analysis.zip

Program Purpose:

This tool gives you the ability to quickly identify all object related access rights throughout an entire eDirectory tree.

For each object it compares SECURITYEQUALS and EQUIVALENTTOME to verify ACL link/backlink and report any broken equivalence errors.

For each object it compares GROUPMEMBERSHIP and MEMBER to verify ACL link/backlink and report any broken group/membership associations.

The data output provided by the programs can be used to achieve many things, including:-

  • Identify all objects/users that have missing ACLs (e.g. access rights to change attributes in eGuide in the data vault)*
  • Identify all objects/users that are able to modify specific attributes
  • Identify all objects that have specific access rights to another object

The program output also creates a text file for each class of object found in the input data. The files contain an RDN list of all of the objects found for that class.

Programs:

acl.pl – Program to analyze the data contained in the LDIF input file.
objectreport.pl – Program to produce individual object information analysis files.

NOTE: acl.pl must be run before objectreport.pl can be run.

Input / Program Requirements:

LDIF file of all ‘User Level’ attributes from all objects in an eDirectory tree. To export the LDIF data, Use an account with full tree rights or at least read access to all objects/attributes in the source tree.

See the associated PDFs on how to use ConsoleOne or iManager to export the data needed as input for these programs.

The programs have been tested on SUSE Linux 10 on x86_64 using Perl v5.8.8. It will not run on MS Windows due to limitations within ActivePerl. If you do not have access to a Linux machine, there are many free virtualization solutions and free Linux distributions you can use to create a Linux virtual machine upon which to run these Perl programs.

Space Usage on Linux – A tree with 64,000 objects creates an LDIF file of approx 500mb. The programs will create database files and reports from the LDIF totaling approx 3GB.

Output:

ERRORS.TXT (generated by acl.pl)

There are a few types of error that the program will recognize if found in the input data. One of them is if an object has a ‘member’ attribute that is ‘empty’.

Group_Members_Totals.CSV (generated by objectreport.pl)

This file contains a list of all group objects found in the input data and includes a count of how many objects are members of that group.

IRFs.TXT (generated by objectreport.pl)

This file contains a list of objects with IRFs

Note: The IRFs listed will depend on the ACLs of the user object used to authenticate when creating the LDIF file used as the input to acl.pl

ObjectClass_Totals.CSV (generated by objectreport.pl)

This report contains a list of the object classes present in the input data and a total number of objects for each class.

Typical Object File Contents:

eDirectory Object Name: e.g. [CN=USER015,OU=AREA1,OU=IT,O=MyCompany]
Object Class : e.g. [inetOrgPerson]
ACL Attributes On This Object: / DESCRIPTION of ACLS:
Other Objects with ACL Attributes for This Object: / DESCRIPTION of ACLS:
SECURITYEQUALS Attributes On This Object:
Other Objects with EQUIVALENTTOME Attributes for This Object:
GROUPMEMBERSHIP Attributes On This Object:
Other Objects with MEMBER Attributes for This Object:
ZENPOLICY Attributes On This Object:
APPASSOCIATIONS Attributes On This Object:
rbsAssignedRoles2 Attributes On This Object:
rbsOwnedCollections2 Attributes On This Object:

Installation:

Copy acl.pl and objectreport.pl to an empty directory.

Create the following subdirectories:

  • CLASSES – This directory will contain a file for each class of object found in the source data.
  • DATA – This directory houses the programs working database files.
  • OBJECTS – This directory will contain one file for each object in the source eDirectory tree.
  • OUTPUT – This directory contains output and error reports.

The files and reports placed in these directories are deleted/recreated on each run of the programs.

Known Issues:

Depending on the LDIF output ordering of the objectclass attributes, it may be possible for the program to incorrectly identify an object as the wrong class of object.

This program will not analyze 3rd party attributes or classes (added via schema extension).

Although the program will accept all classes of object in the input file, the program will only analyze ACLs for the following related classes and attributes:

ACL
SECURITYEQUALS
EQUIVALENTTOME
GROUPMEMBERSHIP
MEMBER
ZENPOLICY
APPASSOCIATIONS
rbsAssignedRoles2
rbsOwnedCollections2
roleOccupant

Send an enhancement requests to have ACLs analyzed for additional classes/attributes.

* How to find all objects with missing ACLs (using Linux):

Run acl.pl and objectreport.pl against the LDIF output of your source eDirectory tree.

Change directory to the OBJECTS directory. This is the directory containing one output file for each object in your source tree.

To look for all objects that do not have an ACL for say ‘postofficebox’, use the syntax:

grep -L -i "postofficebox:" . -r ../NOT_CONTAINING.TXT

This will create a file called NOT_CONTAINING.TXT in directory before the OBJECTS directory. This file will contain a list of objects that did not contain the word ‘postofficebox’.

To look for all objects that have a specific ACL, for say ‘postofficebox’, use the syntax:

grep -l -i "postofficebox:" . -r ../CONTAINING.TXT

This will create a file called CONTAINING.TXT in directory before the OBJECTS directory. This file will contain a list of objects that contain the word ‘postofficebox’.

NOTE: Make sure that the text you are searching for with the grep command is long enough to be ‘unique’ so that your test does not give false results.

NOTES:

A program will be added soon to produce an ‘Excessive Access Rights’ report to help identify security risk within a directory tree.

Individual Object Report File Example:

eDirectory Object: [CN=USER015,OU=AREA1,OU=AREA1,O=MyCompany]
Object Class     : [inetOrgPerson]

ACL Attributes On This Object:

   2#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   6#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#loginScript
   2#entry#[Public]#messageServer
   2#entry#[Root]#groupMembership
   6#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#printJobConfiguration
   2#entry#[Root]#networkAddress
   3#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#Desktop
   3#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#launcherConfig
   3#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#fullName
   3#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#appAssociations
   3#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#appLauncherConfig
   6#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#bhConfigRW
   6#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#bhConfigSecretStore
   2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#bhConfig
   2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#bhObjectGUID
   2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#bhGUIDList
   2#entry#[Public]#nDSPKIUserCertificateInfo

   DESCRIPTION of ACLS:

   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [write/read] for attribute [loginScript] of this ENTRY
   [[Public]] has [read] for attribute [messageServer] of this ENTRY
   [[Root]] has [read] for attribute [groupMembership] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [write/read] for attribute [printJobConfiguration] of this ENTRY
   [[Root]] has [read] for attribute [networkAddress] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read/compare] for attribute [Desktop] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read/compare] for attribute [launcherConfig] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read/compare] for attribute [fullName] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read/compare] for attribute [appAssociations] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read/compare] for attribute [appLauncherConfig] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [write/read] for attribute [bhConfigRW] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [write/read] for attribute [bhConfigSecretStore] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read] for attribute [bhConfig] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read] for attribute [bhObjectGUID] of this ENTRY
   [cn=USER015,ou=AREA1,ou=IT,o=myCompany] has [read] for attribute [bhGUIDList] of this ENTRY
   [[Public]] has [read] for attribute [nDSPKIUserCertificateInfo] of this ENTRY


Other Objects with ACL Attributes for This Object:

   CN=HQ_NDPS_BROKER,OU=0HD,OU=0,O=myCompany > 16#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[Entry Rights]
   CN=HQ_NDPS_MANAGER,OU=0HD,OU=0,O=myCompany > 16#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[Entry Rights]
   CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany > 8#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#nDPSUserRole
   CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany > 2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#ACL
   CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany > 2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#networkAddress
   CN=BARSADMIN,OU=RETIRED,OU=PRO,OU=IT,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=BARS,OU=RETIRED,OU=PRO,OU=IT,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=MAPDRIVETEST,OU=RETIRED,OU=PRO,OU=IT,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=CCHRS,OU=RETIRED,OU=PRO,OU=IT,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=XVFT_LJ4050_ADMIN_XP,OU=003,OU=00,O=myCompany > 16#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[Entry Rights]
   CN=XVF_LJ4200__XP2,OU=001,OU=00,O=myCompany > 16#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[Entry Rights]
   CN=XVF_LJ4200__XP2,OU=001,OU=00,O=myCompany > 8#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#nDPSOperatorRole
   CN=XVF_LJ4200__XP2,OU=001,OU=00,O=myCompany > 2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#ACL
   CN=XVF_LJ4200__XP2,OU=001,OU=00,O=myCompany > 2#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#networkAddress
   CN=XVF_LJ4200__XP2,OU=001,OU=00,O=myCompany > 8#entry#cn=USER015,ou=AREA1,ou=IT,o=myCompany#nDPSUserRole
   CN=ROLE BASED SERVICE 2,O=myCompany > 1073741840#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[Entry Rights]
   CN=LDAP BROWSER,OU=CUSTOM,OU=NAL,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=INTU,OU=CUSTOM,OU=NAL,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]
   CN=CONTRACTS,OU=CUSTOM,OU=NAL,O=myCompany > 3#subtree#cn=USER015,ou=AREA1,ou=IT,o=myCompany#[All Attributes Rights]

   DESCRIPTION of ACLS:

   [CN=HQ_NDPS_BROKER,OU=0HD,OU=0,O=myCompany] has [supervisor] for this ENTRY and these rights are INHERITABLE
   [CN=HQ_NDPS_MANAGER,OU=0HD,OU=0,O=myCompany] has [supervisor] for this ENTRY and these rights are INHERITABLE
   [CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany] has [self] for attribute [nDPSUserRole] of this ENTRY
   [CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany] has [read] for attribute [ACL] of this ENTRY
   [CN=XVF_LJ9000_XP2,OU=042,OU=IT,O=myCompany] has [read] for attribute [networkAddress] of this ENTRY
   [CN=BARSADMIN,OU=RETIRED,OU=PRO,OU=IT,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=BARS,OU=RETIRED,OU=PRO,OU=IT,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=MAPDRIVETEST,OU=RETIRED,OU=PRO,OU=IT,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=CCHRS,OU=RETIRED,OU=PRO,OU=IT,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=XVFT_LJ4050_ADMIN_XP,OU=003,OU=00,O=myCompany] has [supervisor] for this ENTRY and these rights are INHERITABLE
   [CN=XVF_LJ4200_XP2,OU=001,OU=00,O=myCompany] has [supervisor] for this ENTRY and these rights are INHERITABLE
   [CN=XVF_LJ4200_XP2,OU=001,OU=00,O=myCompany] has [self] for attribute [nDPSOperatorRole] of this ENTRY
   [CN=XVF_LJ4200_XP2,OU=001,OU=00,O=myCompany] has [read] for attribute [ACL] of this ENTRY
   [CN=XVF_LJ4200_XP2,OU=001,OU=00,O=myCompany] has [read] for attribute [networkAddress] of this ENTRY
   [CN=XVF_LJ4200_XP2,OU=001,OU=00,O=myCompany] has [self] for attribute [nDPSUserRole] of this ENTRY
   [CN=ROLE BASED SERVICE 2,O=myCompany] has a reference for this ENTRY and these rights are INHERITABLE
   [CN=LBROWSER,OU=CUST,OU=NAL,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=INTU,OU=CUST,OU=NAL,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE
   [CN=CONTRACTS,OU=CUST,OU=NAL,O=myCompany] has [read/compare] for ALL ATTRIBUTES of this ENTRY and these rights are INHERITABLE


SECURITYEQUALS Attributes On This Object:

   cn=GWD0,ou=GHB,ou=IT,o=myCompany
   cn=EPrise Users,ou=AD,ou=IT,o=myCompany
   cn=myCompany,cn=Universal PW Admin,cn=Role Based Service 2,o=myCompany
   cn=WinMSSTesters,ou=AREA1,ou=IT,o=myCompany
   cn=Project2002,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-NORM,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-NetStorage,ou=AREA1,ou=IT,o=myCompany
   cn=KIT,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-iManager,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-iFolder,ou=AREA1,ou=IT,o=myCompany
   cn=VMware,ou=AREA1,ou=IT,o=myCompany
   cn=Linux,ou=AREA1,ou=IT,o=myCompany
   cn=Extra64,ou=AREA1,ou=IT,o=myCompany
   cn=VPN-Admin,ou=IT,o=myCompany
   cn=CCFT,ou=AREA1,ou=IT,o=myCompany
   cn=CUsers,ou=0,o=myCompany
   cn=iChain-OTP,ou=AREA1,ou=IT,o=myCompany
   cn=NFF,ou=AREA1,ou=IT,o=myCompany
   cn=WAN_Unit,ou=AREA1,ou=IT,o=myCompany
   cn=ITSTR,ou=AREA1,ou=IT,o=myCompany
   cn=Internet-HQ-LDIF,ou=0HD,ou=0,o=myCompany
   cn=BLUES,ou=AREA1,ou=IT,o=myCompany

Other Objects with EQUIVALENTTOME Attributes for This Object:

   CN=INTERNET-HQ-LDIF,OU=0HD,OU=0,O=myCompany
   CN=CUSERS,OU=0,O=myCompany
   CN=GWD0,OU=GHB,OU=IT,O=myCompany
   CN=WAN_UNIT,OU=AREA1,OU=IT,O=myCompany
   CN=EXTRA64,OU=AREA1,OU=IT,O=myCompany
   CN=WINMSSTESTERS,OU=AREA1,OU=IT,O=myCompany
   CN=PROJECT2002,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-NORM,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-NETSTORAGE,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-IMANAGER,OU=AREA1,OU=IT,O=myCompany
   CN=KIT,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-IFOLDER,OU=AREA1,OU=IT,O=myCompany
   CN=VMWARE,OU=AREA1,OU=IT,O=myCompany
   CN=LINUX,OU=AREA1,OU=IT,O=myCompany
   CN=CCFT,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-OTP,OU=AREA1,OU=IT,O=myCompany
   CN=NFF,OU=AREA1,OU=IT,O=myCompany
   CN=ITSTR,OU=AREA1,OU=IT,O=myCompany
   CN=BLUES,OU=AREA1,OU=IT,O=myCompany
   CN=EPRISE USERS,OU=AD,OU=IT,O=myCompany
   CN=VPN-ADMIN,OU=IT,O=myCompany
   CN=myCompany,CN=UNIVERSAL PW ADMIN,CN=ROLE BASED SERVICE 2,O=myCompany

GROUPMEMBERSHIP Attributes On This Object:

   cn=EPrise Users,ou=AD,ou=IT,o=myCompany
   cn=myCompany,cn=Universal PW Admin,cn=Role Based Service 2,o=myCompany
   cn=WinMSSTesters,ou=AREA1,ou=IT,o=myCompany
   cn=Project2002,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-NORM,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-NetStorage,ou=AREA1,ou=IT,o=myCompany
   cn=KIT,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-iManager,ou=AREA1,ou=IT,o=myCompany
   cn=iChain-iFolder,ou=AREA1,ou=IT,o=myCompany
   cn=VMware,ou=AREA1,ou=IT,o=myCompany
   cn=Linux,ou=AREA1,ou=IT,o=myCompany
   cn=Extra64,ou=AREA1,ou=IT,o=myCompany
   cn=VPN-Admin,ou=IT,o=myCompany
   cn=CCFT,ou=AREA1,ou=IT,o=myCompany
   cn=CUsers,ou=0,o=myCompany
   cn=iChain-OTP,ou=AREA1,ou=IT,o=myCompany
   cn=NFF,ou=AREA1,ou=IT,o=myCompany
   cn=WAN_Unit,ou=AREA1,ou=IT,o=myCompany
   cn=ITSTR,ou=AREA1,ou=IT,o=myCompany
   cn=Internet-HQ-LDIF,ou=0HD,ou=0,o=myCompany
   cn=BLUES,ou=AREA1,ou=IT,o=myCompany

Other Objects with MEMBER Attributes for This Object:

   CN=AREA1,OU=GW,OU=0,O=myCompany
   CN=HQD,OU=GW,OU=0,O=myCompany
   CN=WEBACCESS,OU=GW,OU=0,O=myCompany
   CN=INTERNET-HQ-LDIF,OU=0HD,OU=0,O=myCompany
   CN=COLLAGEUSERS,OU=0,O=myCompany
   CN=GWD0,OU=GHB,OU=IT,O=myCompany
   CN=FTF-LIBRARY,OU=GHB,OU=IT,O=myCompany
   CN=WAN_UNIT,OU=AREA1,OU=IT,O=myCompany
   CN=EXTRA64,OU=AREA1,OU=IT,O=myCompany
   CN=WINMSSTESTERS,OU=AREA1,OU=IT,O=myCompany
   CN=PROJECT2002,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-NORM,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-NETSTORAGE,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-IMANAGER,OU=AREA1,OU=IT,O=myCompany
   CN=KIT,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-IFOLDER,OU=AREA1,OU=IT,O=myCompany
   CN=VMWARE,OU=AREA1,OU=IT,O=myCompany
   CN=LINUX,OU=AREA1,OU=IT,O=myCompany
   CN=CCFT,OU=AREA1,OU=IT,O=myCompany
   CN=ICHAIN-OTP,OU=AREA1,OU=IT,O=myCompany
   CN=NFF,OU=AREA1,OU=IT,O=myCompany
   CN=ITSTR,OU=AREA1,OU=IT,O=myCompany
   CN=REDS,OU=AREA1,OU=IT,O=myCompany
   CN=EPRISE USERS,OU=AD,OU=IT,O=myCompany
   CN=VPN-ADMIN,OU=IT,O=myCompany
   CN=ADMIN_GROUP,OU=5LL,OU=LL,O=myCompany
   CN=myCompany,CN=UNIVERSAL PW ADMIN,CN=ROLE BASED SERVICE 2,O=myCompany

ZENPOLICY Attributes On This Object:

   cn=Admin Package XPSP3,ou=IT,o=myCompany#0#zenUserPackage

APPASSOCIATIONS Attributes On This Object:

   cn=LDAP Browser,ou=Custom,ou=NAL,o=myCompany#4#0

rbsAssignedRoles2 Attributes On This Object:

   cn=Universal PW Admin,cn=Role Based Service 2,o=myCompany#0#0

rbsOwnedCollections2 Attributes On This Object:

   cn=Role Based Service 2,o=myCompany

   
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Cool Tools, eDirectory

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:shanedriggs

    This program requires a attribs.txt file and we are not told how to make one. Nor is one provided. Please provide. Thanks.

Comment