1
0
Fork
You've already forked aci-validator
0
No description
  • Rust 97.5%
  • HTML 2.5%
Alexander Bokovoy 53d3143385 fix(analysis): only flag read permission as password hash exposure
Search and compare are server-side operations — the attribute value
is never returned to the client. Only read permission actually
exposes password hashes. The previous check treated search and
compare as equivalent to read, producing false positives for
legitimate ACIs like "Search existence of password and kerberos keys".
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2026年06月29日 11:46:52 +03:00
.github/workflows ci: add GitHub Pages deployment 2026年06月28日 19:08:45 +03:00
crates refactor(parser): make allow/deny extraction whitespace-tolerant 2026年06月29日 11:41:28 +03:00
docs docs: update binary name and repository URLs in documentation 2026年06月29日 10:34:06 +03:00
examples refactor: update module name from aci_security_validator to aci_validator 2026年06月29日 10:33:58 +03:00
src fix(analysis): only flag read permission as password hash exposure 2026年06月29日 11:46:52 +03:00
tests refactor: update module name from aci_security_validator to aci_validator 2026年06月29日 10:33:58 +03:00
.gitignore chore: add workspace .gitignore 2026年06月28日 21:08:32 +03:00
askama.toml build: configure askama template engine 2026年06月28日 19:10:50 +03:00
Cargo.lock chore: rename package from aci-security-validator to aci-validator 2026年06月29日 10:33:41 +03:00
Cargo.toml chore: rename package from aci-security-validator to aci-validator 2026年06月29日 10:33:41 +03:00
README.md docs: update binary name in README to aci-validator 2026年06月29日 10:34:02 +03:00

ACI Security Validator

A comprehensive security analysis tool for LDAP Access Control Instructions (ACIs), with specialized support for FreeIPA deployments.

Features

  • Comprehensive Security Analysis: Detects permission escalation, overly broad permissions, circular grants, and deep nesting
  • Permission Propagation Tracking: Traces how permissions flow through group membership hierarchies
  • Principal Inventory: Analyzes all bindable objects (users, services, hosts, groups, SimpleSecurityObjects)
  • ACI Complexity Scoring: Identifies overly complex ACIs that are hard to audit
  • Refactoring Suggestions: Provides actionable, schema-aware suggestions with complete before/after ACIs
  • Multiple Output Formats: Text, JSON, HTML (with TOC), and Markdown reports
  • Flexible Reporting: Full mode (show everything) or Executive mode (top findings only)
  • LDAP Schema Support: Schema-aware attribute suggestions based on target object types
  • FreeIPA Integration: Specialized support for FreeIPA ACIs and object classes

Quick Start

# Build
cargo build --release
# Basic analysis
./target/release/aci-validator \
 --ldif-file dump.ldif \
 --format html \
 --output report.html
# Detailed analysis with refactoring suggestions
./target/release/aci-validator \
 --ldif-file dump.ldif \
 --detailed-propagation \
 --format html \
 --output detailed-report.html

Documentation

📖 Full Documentation - Comprehensive documentation built with mdBook

Quick links:

Installation

cd aci-validator
cargo build --release
cargo install --path .

Usage

Basic Validation

# FreeIPA: separate ACI file and LDIF dump
aci-validator \
 --aci-file /path/to/ACI.txt \
 --ldif-file /path/to/export.ldif \
 --suffix dc=example,dc=com
# Complete LDIF with embedded ACIs and schema (recommended)
aci-validator \
 --ldif-file full-dump.ldif \
 --aci-file full-dump.ldif \
 --suffix dc=example,dc=com
# With verbose output to see schema parsing
aci-validator \
 --ldif-file full-dump.ldif \
 --aci-file full-dump.ldif \
 --verbose

Output Formats

# JSON output for CI/CD
aci-validator \
 --aci-file ACI.txt \
 --ldif-file export.ldif \
 --format json \
 --output report.json
# HTML report with professional styling
aci-validator \
 --aci-file ACI.txt \
 --ldif-file export.ldif \
 --format html \
 --output report.html

Filtering

# Only critical and high findings
aci-validator \
 --aci-file ACI.txt \
 --ldif-file export.ldif \
 --min-severity high

Permission Propagation Analysis

# Scan for dangerous permission propagation patterns
aci-validator \
 --ldif-file export.ldif \
 --analyze-propagation
# Analyze specific user's access to a target
aci-validator \
 --ldif-file export.ldif \
 --analyze-propagation \
 --user-dn "uid=alice,cn=users,cn=accounts,dc=example,dc=com" \
 --target-dn "uid=bob,cn=users,cn=accounts,dc=example,dc=com"

See Permission Propagation for detailed documentation.

Exporting LDIF with Schema

OpenLDAP:

ldapsearch -H ldap://localhost -x -b "" -s base > complete.ldif
ldapsearch -H ldap://localhost -x -b "dc=example,dc=com" >> complete.ldif

389 Directory Server / FreeIPA:

ldapsearch -H ldap://ipa.example.com -x -b "cn=schema" -s base >> dump.ldif
ldapsearch -H ldap://ipa.example.com -x -b "dc=example,dc=com" >> dump.ldif

See Schema-Aware Suggestions for detailed schema extraction instructions.

Parse Errors

Some ACIs may fail to parse due to unsupported syntax or malformed entries. The validator handles these gracefully:

  • Warnings displayed during verbose execution
  • Original ACI text preserved for reference
  • Skipped in analysis to avoid false positives

Example:

Warning: Failed to parse ACI from dc=example,dc=com: Unknown operation: all

In your findings, you'll see the original ACI text instead of an error message. See Error Messages for details.

Project Structure

aci-validator/
├── crates/
│ ├── ldap-acis/ # LDAP ACI parsing and evaluation
│ ├── acls-rs/ # Permission algebra library
│ └── ldif-parser/ # LDIF format parser
└── src/ # Main validator application
 ├── main.rs # CLI interface
 └── validator/ # Security analysis modules
 ├── directory.rs # Directory representation
 ├── scenarios.rs # Access scenario simulation
 ├── analysis.rs # Security rules
 └── report.rs # Report generation

Development

# Build entire workspace
cargo build
# Run tests
cargo test
# Build specific crate
cargo build -p ldif-parser
# Run with verbose output
cargo run -- --aci-file test.txt --ldif-file test.ldif --verbose

Security Rules

Critical

  • Password hash protection (userPassword, krbPrincipalKey)
  • Anonymous access to sensitive attributes
  • Privilege escalation paths (memberOf, objectClass modification)

High Severity

  • Overly broad DN patterns (matching >50% of entries)
  • Large group write access
  • Cross-container access

Medium Severity

  • Conflicting ACIs
  • Redundant ACIs
  • Self-service risks

License

Same as ldap-acis and acls-rs crates.