Mark,
I think you will need at least a Filter Matching permission for attributes
as well. A classical way to break security in a directory is to search for
entries with userPassword=*joan* (or whatever...).
Should there be a permission for Compare operations as well? Denying
compare on operational information could be used to keep curious users from
poking at the ACIs themselves.
Cheers, ....Erik.
Erik Skovgaard
Siemens Meta-Directory Solutions
Phone: +1 604-204-0750
Fax: +1 604-204-0760
-----Original Message-----
From: Mark Davidson [mailto:markd@pwd.hp.com]
Sent: Friday, July 06, 2001 05:44
To: ietf-ldapext@netscape.com
Subject: ACM permission
I have been thinking about simplifying the permissions
in the ACM and also adding permissions for controls. How
about:
permissions for attributes: read, modify, create, delete
permissions for entries: read, modify, create, delete
and add control OID ass a possible target with a permission
of use
so:
ACI = rights "#" target "#" generalSubject
permission = "r" / ; read
"m" / ; modify
"c" / ; create
"d" / ; delete
"u" ; use
; permission u can only be used on controls
target = "[all]" / "[entry]" / (attribute *("," attribute)) /
"[controls]" / (controlType *("," controlType))
controlType is defined in RFC2251
Granting these permissions allows:
Entry read - allows access to DN
Entry modify - can change DN
Entry create - can create an entry below this entry
Entry delete - can delete this entry
Attribute read - can read attribute
Attribute modify - can modify replace attribute values
Attribute delete - can modify delete attribute values
Attribute create - can modify add attribute values
Control use - can use control where aci is active (this
replaces the g permission in a more
general way)
This does not give quite the same detailed level of
control as the current scheme, but is much easier
to understand from an administration point of view,
rather that a protocol point of view.
Mark
Attachment:
Skovgaard, Erik.vcf
Description: Binary data