A year ago I posted an explanation about unauthenticated junctions for WebSEAL. Let’s do the similar task with pdadmin – create a "passthrough" ACL for WebSEAL.
[ Note: This post assumes that you have authenticated ‘pdadmin’ session opened! ]
First, we will create a fresh ACL:
pdadmin sec_master> acl create webseal-passthrough
pdadmin sec_master> acl show webseal-passthrough
ACL name: webseal-passthrough
Description:
Entries:
User sec_master TcmdbsvaBRl
pdadmin sec_master>
You can list all the ACLs in the system and spot your fresh ACL appears there. Note the default WebSEAL ACL – we’ll use it in a moment!
pdadmin sec_master> acl list default-webseal default-management-proxy default-management default-root default-gso default-policy default-config webseal-passthrough default-domain default-replica pdadmin sec_master>
At this moment the ACL we just created contains basic ‘sec_master’ permissions only. Let’s copy the default set of permissions (for system administrator, groups etc) from the default system ACL. We can skip ‘any-other’ and ‘unauthenticated’ entries for now – we will take care about them later.
pdadmin sec_master> acl show default-webseal
ACL name: default-webseal
Description:
Entries:
Group iv-admin TcmdbsvaBRrxl
Group webseal-servers Tgmdbsrxl
User sec_master TcmdbsvaBRrxl
Any-other Trx
Unauthenticated T
pdadmin sec_master> acl modify webseal-passthrough set group iv-admin TcmdbsvaBRrxl
pdadmin sec_master> acl modify webseal-passthrough set group webseal-servers Tgmdbsrxl
pdadmin sec_master> acl modify webseal-passthrough set user sec_master TcmdbsvaBRrxl
pdadmin sec_master> acl show webseal-passthrough
ACL name: webseal-passthrough
Description:
Entries:
Group iv-admin TcmdbsvaBRrxl
Group webseal-servers Tgmdbsrxl
User sec_master TcmdbsvaBRrxl
pdadmin sec_master>
As you can see, our new ACL (almost) is a clone of the default ACL. Now let’s configure proper access rights for both authenticated and unauthenticated users. Spot the difference with default WebSEAL ACL!
pdadmin sec_master> acl modify webseal-passthrough set any-other Trx
pdadmin sec_master> acl modify webseal-passthrough set unauthenticated Trx
pdadmin sec_master> acl show webseal-passthrough
ACL name: webseal-passthrough
Description:
Entries:
Group iv-admin TcmdbsvaBRrxl
Group webseal-servers Tgmdbsrxl
User sec_master TcmdbsvaBRrxl
Any-other Trx
Unauthenticated Trx
pdadmin sec_master>
In the next post I’ll explain how to use ACLs via pdadmin.
One thought on “Basics of pdadmin: How to create ACLs”