Hello,
I already posted some messages about the fact that for shell backends
the ACLs are checked by the slapd daemon only for the search method and
not for the modify method.
I still think that this is not a very good thing for the following reasons:
a) Some methods of the shell backend have to check the ACLs (e.g. modify)
while some others do not have to bother about them (e.g. search)
b) ACLs checking is very complex, duplicate this code between slapd and
shell backend may not be a good thing
c) Altering the slapd interface to shell backend to make it checking ACLs
for the modify method seems to be quite easy
You will find attached to this mail a diff patch for the directory
servers/slapd/back-shell which do the work. The method used to check ACLs
for modify method is to call the search method of the shell backend to
get the full entry to be modified with its attributes and then checking
the ACLs for modification.
Is there a fundamental reason that this patch cannot be applied to the
official sources ?
The patch also include an example backend which provide bind and modify
methods. This example is based on the original search example. Take a look to
a sample of the config file:
==============================================================
# Database definition
database shell
suffix "dc=example,dc=org"
search ./search.sh
bind ./bind.sh
modify ./modify.sh
# The password can be changed by its owner, others should
# not be able to see it, except the admin
access to attrs=userPassword
by dn="cn=root,dc=example,dc=org" write
by dnattr=member write
by * compare
==============================================================
And take a look to a session with this shell backend example:
$ ldapsearch -x -b "dc=example,dc=org" "(uid=hinvisib)"
version: 2
#
# filter: (uid=hinvisib)
# requesting: ALL
#
# hinvisib,dc=example,dc=org
dn: cn=hinvisib,dc=example,dc=org
objectClass: top
objectClass: person
cn: hinvisib
cn: Homme Invisible
sn: hinvisib
uid: hinvisib
member: cn=hinvisib,dc=example,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ ldapsearch -x -b "dc=example,dc=org" -D "cn=hinvisib,dc=example,dc=org" -W
"(uid=hinvisib)"
Enter LDAP Password:
version: 2
#
# filter: (uid=hinvisib)
# requesting: ALL
#
# hinvisib,dc=example,dc=org
dn: cn=hinvisib,dc=example,dc=org
objectClass: top
objectClass: person
cn: hinvisib
cn: Homme Invisible
sn: hinvisib
uid: hinvisib
member: cn=hinvisib,dc=example,dc=org
userPassword:: eVFSMm1PUlhYZjRFYw==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ ldapmodify -x -D "cn=rex,dc=example,dc=org" -W < modify.data
Enter LDAP Password:
modifying entry "cn=hinvisib,dc=example,dc=org"
ldap_modify: Insufficient access
additional info: modify ACL check: permission denied
ldif_record() = 50
$ ldapmodify -x -D "cn=hinvisib,dc=example,dc=org" -W < modify.data
Enter LDAP Password:
modifying entry "cn=hinvisib,dc=example,dc=org"
Regards,
Xavier
Attachment:
back-shell.patch.gz
Description: Patch to servers/slapd/back-shell