What is FreeIPA LDAP enumeration?

It is the process of querying a FreeIPA LDAP server to gather information about users, groups, hosts, and security policies, often exploiting configurations like anonymous binds.

How do you find NOPASSWD sudo rules in FreeIPA via LDAP?

You can use ldapsearch to query the 'cn=sudorules' container with a filter for '(sudoOption=*NOPASSWD*)' to identify instant privilege escalation paths.

What is the security risk of anonymous LDAP bind?

Anonymous bind allows any unauthenticated user to dump the entire directory, exposing sensitive data like SSH keys, HBAC rules, and network topology.

FreeIPA LDAP Enumeration: Commands and Security Cheatsheet

Updated on December 18, 2025

Table of Contents

1. Privileged Accounts & Groups
2. SUDO Rules (Critical for Privilege Escalation)
3. HBAC Policies (Access Control Rules)
4. Hosts & Services
5. SSH Public Keys (Lateral Movement)
6. Password & Kerberos Policies
7. Certificate Authority & Profiles
8. DNS Records
9. Active Directory Trusts
10. Topology & Replication
11. Automation & Vaults
12. Automated Full Dump
13. Post-Extraction Analysis

Understanding FreeIPA LDAP enumeration is critical for both penetration testers and system administrators to identify severe security misconfigurations.

Priority 1: Privileged Accounts & Groups

Identifying administrative groups is the first step in mapping the privilege hierarchy within a FreeIPA environment.

# 1. Dump all groups with memberships (identify admin groups)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=groups,cn=accounts,dc=corp,dc=com" "(objectClass=posixGroup)" cn gidNumber member memberUid description > groups.ldif

# 2. Find admin-level accounts (admins group)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=admins,cn=groups,cn=accounts,dc=corp,dc=com" "(objectClass=*)" member memberUid

# 3. Extract trust admins (if AD trust exists)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=trust admins,cn=groups,cn=accounts,dc=corp,dc=com" "(objectClass=*)" member

# 4. Enumerate users with elevated privileges
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(memberOf=cn=admins,cn=groups,cn=accounts,dc=corp,dc=com)" uid uidNumber memberOf

MITRE ATT&CK: T1069.002 (Permission Groups Discovery: Domain Groups)

Priority 2: SUDO Rules (Critical for Privilege Escalation)

Leveraging FreeIPA LDAP enumeration to find SUDO rules often reveals direct paths to root access on enrolled hosts.

# 5. Extract ALL sudo rules
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=sudorules,cn=sudo,dc=corp,dc=com" "(objectClass=ipaSudoRule)" cn ipaEnabledFlag memberHost memberUser sudoCommand sudoRunAsUser sudoRunAsGroup sudoOption > sudo_rules.ldif

# 6. Find wildcard sudo rules (ALL commands)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=sudorules,cn=sudo,dc=corp,dc=com" "(sudoCommand=*ALL*)" cn memberHost memberUser

# 7. Identify NOPASSWD sudo rules (instant privilege escalation)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=sudorules,cn=sudo,dc=corp,dc=com" "(sudoOption=*NOPASSWD*)" cn memberHost memberUser sudoCommand

MITRE ATT&CK: T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching)

Priority 3: HBAC Policies (Access Control Rules)

Host-Based Access Control (HBAC) defines which users can access specific services on specific hosts.

# 8. Dump all Host-Based Access Control rules
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=hbac,dc=corp,dc=com" "(objectClass=ipaHBACRule)" cn ipaEnabledFlag memberUser memberHost memberService serviceCategory hostCategory userCategory > hbac_rules.ldif

# 9. Find permissive HBAC rules (allow all users/hosts)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=hbac,dc=corp,dc=com" "(&(objectClass=ipaHBACRule)(|(userCategory=all)(hostCategory=all)))" cn memberService

# 10. Extract HBAC services (SSH, login, gdm, etc.)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=hbacservices,cn=hbac,dc=corp,dc=com" "(objectClass=ipaHBACService)" cn description

MITRE ATT&CK: T1078.002 (Valid Accounts: Domain Accounts)

Priority 4: Hosts & Services

Enumerating hosts and service principals helps identify targets for lateral movement and Kerberoasting.

# 11. Enumerate all enrolled hosts (servers/workstations)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=computers,cn=accounts,dc=corp,dc=com" "(objectClass=ipaHost)" fqdn description macAddress managedBy enrolledBy ipaClientVersion > hosts.ldif

# 12. Extract service principals (Kerberos services - Kerberoasting targets)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=services,cn=accounts,dc=corp,dc=com" "(krbPrincipalName=*)" krbPrincipalName krbCanonicalName managedBy description > services.ldif

# 13. Find HTTP service principals (web applications)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=services,cn=accounts,dc=corp,dc=com" "(krbPrincipalName=HTTP/*)" krbPrincipalName managedBy

# 14. Dump hostgroups (server groupings)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=hostgroups,cn=accounts,dc=corp,dc=com" "(objectClass=ipaHostGroup)" cn member memberHost description

MITRE ATT&CK: T1087.002 (Account Discovery: Domain Account), T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting)

Priority 5: SSH Public Keys (Lateral Movement)

Public keys stored in LDAP can be used to identify users who likely have active SSH access across the domain.

# 15. Extract SSH public keys from all user accounts
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(ipaSSHPubKey=*)" uid ipaSSHPubKey mail > ssh_keys.ldif

# 16. Parse and save SSH keys for offline analysis
grep -A 1 "ipaSSHPubKey:" ssh_keys.ldif | grep -v "^--$" | sed 'N;s/\n/ /' > extracted_ssh_keys.txt

MITRE ATT&CK: T1552.004 (Unsecured Credentials: Private Keys)

Priority 6: Password & Kerberos Policies

Analyzing policies allows attackers to understand lockout thresholds and identify AS-REP Roastable accounts.

# 17. Extract password policies (lockout thresholds, complexity)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=global_policy,cn=corp.COM,cn=kerberos,dc=corp,dc=com" "(objectClass=*)" krbMaxPwdLife krbMinPwdLife krbPwdMinLength krbPwdHistoryLength krbMaxFailedLoginAttempts krbLoginFailedCountInterval

# 18. Find users with non-expiring passwords
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(krbPasswordExpiration=*)" uid krbPasswordExpiration krbLastPwdChange

# 19. Identify accounts with Kerberos pre-auth disabled (ASREPRoastable)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(userAccountControl:1.2.840.113556.1.4.803:=4194304)" uid krbPrincipalName

MITRE ATT&CK: T1201 (Password Policy Discovery), T1558.004 (AS-REP Roasting)

Priority 7: Certificate Authority & Profiles

The Certificate Authority (CA) in FreeIPA is a high-value target for persistent domain-wide compromise.

# 20. Enumerate certificate profiles
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=certprofiles,cn=ca,dc=corp,dc=com" "(objectClass=ipaCertProfile)" cn description ipaCertProfileStoreIssued > cert_profiles.ldif

# 21. Extract CA configuration
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=ipa,cn=etc,dc=corp,dc=com" "(objectClass=ipaCa)" cn ipaCaSubjectDN ipaCaIssuerDN

# 22. Find certificate mapping rules
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=certmapdata,cn=etc,dc=corp,dc=com" "(objectClass=*)"

MITRE ATT&CK: T1649 (Steal or Forge Authentication Certificates)

Priority 8: DNS Records (If Integrated)

Integrated DNS records provide a full map of the network topology and service locations.

# 23. Extract DNS zones
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=dns,dc=corp,dc=com" "(objectClass=idnsZone)" idnsName idnsZoneActive idnsSOAminimum idnsAllowSyncPTR > dns_zones.ldif

# 24. Dump all DNS A records
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "idnsName=corp.com,cn=dns,dc=corp,dc=com" "(aRecord=*)" idnsName aRecord

# 25. Extract DNS SRV records (service discovery)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "idnsName=corp.com,cn=dns,dc=corp,dc=com" "(sRVRecord=*)" idnsName sRVRecord

MITRE ATT&CK: T1590.002 (Gather Victim Network Information: DNS)

Priority 9: Active Directory Trusts (If Configured)

Trusts often allow for cross-forest lateral movement from FreeIPA into a Windows AD environment.

# 26. Check for AD trust configurations
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=ad,cn=trusts,dc=corp,dc=com" "(objectClass=ipaNTTrustedDomain)" cn ipaNTTrustPartner ipaNTTrustType ipaNTTrustDirection ipaNTTrustAttributes

# 27. Extract domain trust information
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=trusts,dc=corp,dc=com" "(objectClass=ipaNTTrustedDomain)" ipaNTFlatName ipaNTTrustedDomainSID

MITRE ATT&CK: T1482 (Domain Trust Discovery)

Priority 10: Topology & Replication

Understanding the replication topology helps identify other FreeIPA masters that might be vulnerable.

# 28. Enumerate FreeIPA replicas (identify other servers)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=masters,cn=ipa,cn=etc,dc=corp,dc=com" "(objectClass=*)" cn ipaConfigString

# 29. Extract replication agreements
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=topology,cn=ipa,cn=etc,dc=corp,dc=com" "(objectClass=ipaReplTopoManagedServer)" ipaReplTopoManagedSuffix

# 30. Find all FreeIPA configuration
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=etc,dc=corp,dc=com" "(objectClass=*)" > ipa_config_full.ldif

Priority 11: Automation & Vaults

Automation accounts often have broad permissions, making them ideal targets for exploitation.

# 31. Check for stored secrets/vaults (may be restricted)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=vaults,cn=kra,dc=corp,dc=com" "(objectClass=ipaVault)" cn description

# 32. Enumerate automation/service users (machine accounts)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(&(objectClass=posixAccount)(!(loginShell=/bin/bash)))" uid description

# 33. Extract user authentication indicators (2FA status)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=users,cn=accounts,dc=corp,dc=com" "(objectClass=posixAccount)" uid ipaUserAuthType krbPrincipalAuthInd

Automated Full Dump

A full dump is often the most efficient way to capture the entire state of the LDAP directory for offline analysis.

# 34. Complete anonymous dump (everything accessible)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "dc=corp,dc=com" -s sub "(objectClass=*)" > freeipa_complete_dump.ldif

# 35. Compatibility tree (legacy flat file data)
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://ipa-server.com:636 -b "cn=compat,dc=corp,dc=com" "(objectClass=*)" > compat_tree.ldif

Post-Extraction Analysis

Once data is extracted, parsing it for keywords like "root" or "admin" reveals the most critical vulnerabilities immediately.

# Parse extracted data for actionable intelligence
grep -i "admin\|root\|privileged" groups.ldif
grep "NOPASSWD" sudo_rules.ldif
grep "krbPrincipalName: HTTP/" services.ldif | cut -d' ' -f2 > kerberoast_targets.txt
awk '/^uid:/ {user=$2} /^mail:/ {print user, $2}' users.ldif > user_emails.txt

Enjoyed this guide? Share your thoughts below and tell us how you leverage FreeIPA LDAP Enumeration in your projects!

FreeIPA, LDAP Enumeration, Cyber Security, Penetration Testing, Cheatsheet, Linux Security, MITRE ATT&CK