Hello, I already posted some messages about the fact that for shell backends the ACLs are checked by the slapd daemon only for the search method and not for the modify method. I still think that this is not a very good thing for the following reasons: a) Some methods of the shell backend have to check the ACLs (e.g. modify) while some others do not have to bother about them (e.g. search) b) ACLs checking is very complex, duplicate this code between slapd and shell backend may not be a good thing c) Altering the slapd interface to shell backend to make it checking ACLs for the modify method seems to be quite easy You will find attached to this mail a diff patch for the directory servers/slapd/back-shell which do the work. The method used to check ACLs for modify method is to call the search method of the shell backend to get the full entry to be modified with its attributes and then checking the ACLs for modification. Is there a fundamental reason that this patch cannot be applied to the official sources ? The patch also include an example backend which provide bind and modify methods. This example is based on the original search example. Take a look to a sample of the config file: ============================================================== # Database definition database shell suffix "dc=example,dc=org" search ./search.sh bind ./bind.sh modify ./modify.sh # The password can be changed by its owner, others should # not be able to see it, except the admin access to attrs=userPassword by dn="cn=root,dc=example,dc=org" write by dnattr=member write by * compare ============================================================== And take a look to a session with this shell backend example: $ ldapsearch -x -b "dc=example,dc=org" "(uid=hinvisib)" version: 2 # # filter: (uid=hinvisib) # requesting: ALL # # hinvisib,dc=example,dc=org dn: cn=hinvisib,dc=example,dc=org objectClass: top objectClass: person cn: hinvisib cn: Homme Invisible sn: hinvisib uid: hinvisib member: cn=hinvisib,dc=example,dc=org # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 $ ldapsearch -x -b "dc=example,dc=org" -D "cn=hinvisib,dc=example,dc=org" -W "(uid=hinvisib)" Enter LDAP Password: version: 2 # # filter: (uid=hinvisib) # requesting: ALL # # hinvisib,dc=example,dc=org dn: cn=hinvisib,dc=example,dc=org objectClass: top objectClass: person cn: hinvisib cn: Homme Invisible sn: hinvisib uid: hinvisib member: cn=hinvisib,dc=example,dc=org userPassword:: eVFSMm1PUlhYZjRFYw== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 $ ldapmodify -x -D "cn=rex,dc=example,dc=org" -W < modify.data Enter LDAP Password: modifying entry "cn=hinvisib,dc=example,dc=org" ldap_modify: Insufficient access additional info: modify ACL check: permission denied ldif_record() = 50 $ ldapmodify -x -D "cn=hinvisib,dc=example,dc=org" -W < modify.data Enter LDAP Password: modifying entry "cn=hinvisib,dc=example,dc=org" Regards, Xavier
Attachment:
back-shell.patch.gz
Description: Patch to servers/slapd/back-shell