No description
- Rust 97.5%
- HTML 2.5%
ACI Security Validator
A comprehensive security analysis tool for LDAP Access Control Instructions (ACIs), with specialized support for FreeIPA deployments.
Features
- Comprehensive Security Analysis: Detects permission escalation, overly broad permissions, circular grants, and deep nesting
- Permission Propagation Tracking: Traces how permissions flow through group membership hierarchies
- Principal Inventory: Analyzes all bindable objects (users, services, hosts, groups, SimpleSecurityObjects)
- ACI Complexity Scoring: Identifies overly complex ACIs that are hard to audit
- Refactoring Suggestions: Provides actionable, schema-aware suggestions with complete before/after ACIs
- Multiple Output Formats: Text, JSON, HTML (with TOC), and Markdown reports
- Flexible Reporting: Full mode (show everything) or Executive mode (top findings only)
- LDAP Schema Support: Schema-aware attribute suggestions based on target object types
- FreeIPA Integration: Specialized support for FreeIPA ACIs and object classes
Quick Start
# Build
cargo build --release
# Basic analysis
./target/release/aci-validator \
--ldif-file dump.ldif \
--format html \
--output report.html
# Detailed analysis with refactoring suggestions
./target/release/aci-validator \
--ldif-file dump.ldif \
--detailed-propagation \
--format html \
--output detailed-report.html
Documentation
📖 Full Documentation - Comprehensive documentation built with mdBook
Quick links:
Installation
cd aci-validator
cargo build --release
cargo install --path .
Usage
Basic Validation
# FreeIPA: separate ACI file and LDIF dump
aci-validator \
--aci-file /path/to/ACI.txt \
--ldif-file /path/to/export.ldif \
--suffix dc=example,dc=com
# Complete LDIF with embedded ACIs and schema (recommended)
aci-validator \
--ldif-file full-dump.ldif \
--aci-file full-dump.ldif \
--suffix dc=example,dc=com
# With verbose output to see schema parsing
aci-validator \
--ldif-file full-dump.ldif \
--aci-file full-dump.ldif \
--verbose
Output Formats
# JSON output for CI/CD
aci-validator \
--aci-file ACI.txt \
--ldif-file export.ldif \
--format json \
--output report.json
# HTML report with professional styling
aci-validator \
--aci-file ACI.txt \
--ldif-file export.ldif \
--format html \
--output report.html
Filtering
# Only critical and high findings
aci-validator \
--aci-file ACI.txt \
--ldif-file export.ldif \
--min-severity high
Permission Propagation Analysis
# Scan for dangerous permission propagation patterns
aci-validator \
--ldif-file export.ldif \
--analyze-propagation
# Analyze specific user's access to a target
aci-validator \
--ldif-file export.ldif \
--analyze-propagation \
--user-dn "uid=alice,cn=users,cn=accounts,dc=example,dc=com" \
--target-dn "uid=bob,cn=users,cn=accounts,dc=example,dc=com"
See Permission Propagation for detailed documentation.
Exporting LDIF with Schema
OpenLDAP:
ldapsearch -H ldap://localhost -x -b "" -s base > complete.ldif
ldapsearch -H ldap://localhost -x -b "dc=example,dc=com" >> complete.ldif
389 Directory Server / FreeIPA:
ldapsearch -H ldap://ipa.example.com -x -b "cn=schema" -s base >> dump.ldif
ldapsearch -H ldap://ipa.example.com -x -b "dc=example,dc=com" >> dump.ldif
See Schema-Aware Suggestions for detailed schema extraction instructions.
Parse Errors
Some ACIs may fail to parse due to unsupported syntax or malformed entries. The validator handles these gracefully:
- Warnings displayed during verbose execution
- Original ACI text preserved for reference
- Skipped in analysis to avoid false positives
Example:
Warning: Failed to parse ACI from dc=example,dc=com: Unknown operation: all
In your findings, you'll see the original ACI text instead of an error message. See Error Messages for details.
Project Structure
aci-validator/
├── crates/
│ ├── ldap-acis/ # LDAP ACI parsing and evaluation
│ ├── acls-rs/ # Permission algebra library
│ └── ldif-parser/ # LDIF format parser
└── src/ # Main validator application
├── main.rs # CLI interface
└── validator/ # Security analysis modules
├── directory.rs # Directory representation
├── scenarios.rs # Access scenario simulation
├── analysis.rs # Security rules
└── report.rs # Report generation
Development
# Build entire workspace
cargo build
# Run tests
cargo test
# Build specific crate
cargo build -p ldif-parser
# Run with verbose output
cargo run -- --aci-file test.txt --ldif-file test.ldif --verbose
Security Rules
Critical
- Password hash protection (userPassword, krbPrincipalKey)
- Anonymous access to sensitive attributes
- Privilege escalation paths (memberOf, objectClass modification)
High Severity
- Overly broad DN patterns (matching >50% of entries)
- Large group write access
- Cross-container access
Medium Severity
- Conflicting ACIs
- Redundant ACIs
- Self-service risks
License
Same as ldap-acis and acls-rs crates.