[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL order changes * by * read access (ITS#2068)
--==========12628649==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Thursday, September 05, 2002 8:17 AM +0200 Pierangelo Masarati=20
<masarati@aero.polimi.it> wrote:
> quanah@stanford.edu wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.1.4
>> OS: Solaris 8
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (171.64.13.58)
>>
>>
>> Hello,
>>
>> If I create an ACL file like this:
>>
>> # ACL include file for slapd
>> #
>> # this is specific to ldap4.stanford.edu for testing
>>
>> access to *
>> by dn=3D"cn=3Dmanager,dc=3Dstanford,dc=3Dedu" write
>> by =
group=3D"cn=3DSupervisor,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>> by =
group=3D"cn=3DldapAdmin,cn=3DApplications,dc=3Dstanford,dc=3Dedu" read
>> by =
dn=3D"cn=3Dreplicator,cn=3DApplications,dc=3Dstanford,dc=3Dedu" read
>> by * read
>>
>> access to dn=3D".*,cn=3DPeople,dc=3Dstanford,dc=3Dedu"
>> by =
dn=3D"cn=3DSLOG-People,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>>
>> access to dn=3D".*,cn=3DAccounts,dc=3Dstanford,dc=3Dedu"
>> by =
dn=3D"cn=3DSLOG-Accounts,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>>
>> Access seems to work correctly. However, If I change the order thus:
>>
>> # ACL include file for slapd
>> #
>> # this is specific to ldap4.stanford.edu for testing
>>
>> access to dn=3D".*,cn=3DPeople,dc=3Dstanford,dc=3Dedu"
>> by =
dn=3D"cn=3DSLOG-People,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>>
>> access to dn=3D".*,cn=3DAccounts,dc=3Dstanford,dc=3Dedu"
>> by =
dn=3D"cn=3DSLOG-Accounts,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>>
>> access to *
>> by dn=3D"cn=3Dmanager,dc=3Dstanford,dc=3Dedu" write
>> by =
group=3D"cn=3DSupervisor,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write
>> by =
group=3D"cn=3DldapAdmin,cn=3DApplications,dc=3Dstanford,dc=3Dedu" read
>> by =
dn=3D"cn=3Dreplicator,cn=3DApplications,dc=3Dstanford,dc=3Dedu" read
>> by * read
>>
>>
>> When I do an ldapsearch, I see only the Accounts subtree. I would guess
>> that something is incorrect in the way in which slapd parses the regexp
>> for the first 2 entries in the second example.
>
> Assuming regex on your system are working well, these ACLs allow
> "cn=3DSLOG-People,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write access
> to the "cn=3DPeople" subtree, and noone else can access it or even
> authenticate with a DN under that subtree; the also allow
> "cn=3DSLOG-Accounts,cn=3DApplications,dc=3Dstanford,dc=3Dedu" write =
access
> to the cn=3DAccounts subtree, noone else can access that subtree.
> Everybody is then granted read access to everything except the
> previous subtrees. What DN are you binding with when you see
> the "cn=3DAccounts" subtree, and what are you using for the rest?
I am binding as ldapAdmin. Also, as I understand it, since it says access=20
to * by * read, I would assume that I should be able to read the whole=20
database, just as in case 1. From what you are saying, it sounds like the=20
ACL file is extremely order specific.
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--==========12628649==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj13aYgACgkQhgUrDcmdiou4iwCcCLhHMzIx+q6dbzUteJQRG1Gy
Kj4An2nFCy9IeD/YtK+crXpQr165jgt9
=fcxR
-----END PGP SIGNATURE-----
--==========12628649==========--